Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER REF_47806798 .exe

Overview

General Information

Sample name:ORDER REF_47806798 .exe
Analysis ID:1545992
MD5:b1409192281b85ae112868f828087864
SHA1:a6e85b73dfbc0494f435fe2e78bdb4977a4a2fe5
SHA256:3721299ab8cab7453d4781c5d3acc4304dffd8335164fbdfc31c80959cb0b35b
Tags:AsyncRATexeuser-lowmal3
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • ORDER REF_47806798 .exe (PID: 7532 cmdline: "C:\Users\user\Desktop\ORDER REF_47806798 .exe" MD5: B1409192281B85AE112868F828087864)
    • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • InstallUtil.exe (PID: 7732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • powershell.exe (PID: 7984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'installutil.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\installutil.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • InstallUtil.exe (PID: 7740 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • WerFault.exe (PID: 7816 cmdline: C:\Windows\system32\WerFault.exe -u -p 7532 -s 1040 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
{"C2 url": ["176.9.162.125"], "Port": "4060", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
SourceRuleDescriptionAuthorStrings
00000004.00000002.3802232685.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000004.00000002.3802232685.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x74e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x757d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7692:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x718e:$cnc4: POST / HTTP/1.1
    00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x89f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x92df8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8a02d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x92e95:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8a142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x92faa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x89c3e:$cnc4: POST / HTTP/1.1
        • 0x92aa6:$cnc4: POST / HTTP/1.1
        Click to see the 5 entries
        SourceRuleDescriptionAuthorStrings
        1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x58e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x597d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x5a92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x558e:$cnc4: POST / HTTP/1.1
          4.2.InstallUtil.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            4.2.InstallUtil.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x76e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x777d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7892:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x738e:$cnc4: POST / HTTP/1.1
            1.2.ORDER REF_47806798 .exe.26e9f53c718.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 5 entries

              System Summary

              barindex
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7732, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', ProcessId: 7984, ProcessName: powershell.exe
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7732, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', ProcessId: 7984, ProcessName: powershell.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7732, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', ProcessId: 7984, ProcessName: powershell.exe
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 7732, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installutil.lnk
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7732, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe', ProcessId: 7984, ProcessName: powershell.exe
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T11:20:52.264049+010020229301A Network Trojan was detected4.245.163.56443192.168.2.749779TCP
              2024-10-31T11:21:31.267330+010020229301A Network Trojan was detected20.12.23.50443192.168.2.749984TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T11:21:14.867553+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:21:17.863825+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:21:27.394699+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:21:37.994960+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:21:44.870337+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:21:48.619964+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:21:59.245185+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:08.666723+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:14.877686+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:17.047605+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:17.761011+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:17.917693+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:18.337735+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:18.450458+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:18.472273+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:19.432219+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:19.567221+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:19.912831+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:20.805164+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:20.989357+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:21.050532+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:21.124756+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:21.349286+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:22.159982+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:22.655113+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:23.705151+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:25.037531+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:26.939182+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:27.296811+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:27.431632+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:28.282546+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:30.018269+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:30.459106+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:33.783847+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:34.447765+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:36.381247+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:36.516183+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:36.822950+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:36.957661+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:41.047520+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:43.745679+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:43.880436+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:44.714276+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:44.866407+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:46.452960+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:46.587620+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:46.784691+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:46.920008+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:47.006218+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:47.061060+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:47.195912+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:49.044118+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:49.557850+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:51.870632+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:52.356139+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:58.552469+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:58.780972+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:02.750312+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:03.053478+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:04.864026+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:05.619132+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:06.050850+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:08.309898+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:08.624086+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:09.601706+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:11.572077+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:11.877830+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:12.145004+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:14.457633+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:14.592526+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:14.943612+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:15.073391+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:15.484001+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:16.382948+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:18.480610+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:18.616623+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:19.393144+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:20.497929+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:21.205348+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:21.649460+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:23.474843+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:23.609845+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:26.387258+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:26.620703+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:26.755507+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:27.169715+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:27.710491+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:27.905689+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:28.550053+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:28.684817+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:29.986962+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:32.549262+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:33.289379+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:35.566249+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:36.553866+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:36.688785+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:36.823671+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:37.860410+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:38.127812+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:38.684710+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:39.991935+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:40.711570+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:41.293376+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:42.260947+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:42.542904+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:43.504185+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:43.638865+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:45.164720+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:45.299739+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:45.693135+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:47.223680+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:47.357343+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:47.491865+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:47.614417+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:48.247327+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:48.866755+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:49.418093+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:50.571040+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:50.705902+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:51.305052+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:51.439721+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:52.474405+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:52.608986+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:55.223926+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:55.980671+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:56.776013+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:58.327048+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:58.632145+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:59.388075+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:00.274247+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:01.287260+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:01.505167+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:01.522863+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:01.585507+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:01.639820+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:01.720387+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:04.510676+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:04.645387+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:06.977984+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:07.634093+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:08.022091+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:08.156909+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:09.363550+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:09.497685+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:09.912424+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:10.196429+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:10.331125+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:10.603205+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:11.334978+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:11.474652+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:11.604506+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:11.625591+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:11.760539+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:12.166159+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:12.270313+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:12.299479+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:13.406657+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:13.769609+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:14.293957+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:14.867965+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:15.311521+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:15.446284+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:16.307057+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:16.782125+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:17.379738+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:17.704994+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:17.705479+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:17.721237+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:17.833422+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:18.181397+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:19.458637+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:19.593241+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:20.166545+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:20.182700+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:20.251761+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:20.301138+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:21.338219+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:21.560188+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:21.694966+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:22.237497+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:23.498845+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:23.633299+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:24.140809+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:25.234436+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:26.968263+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:27.579282+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:29.338859+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:29.549792+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:30.090024+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:30.263136+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:30.438810+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:30.687712+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:31.453412+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:31.588050+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:31.763806+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:33.343031+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:33.454721+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:33.475972+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:33.589092+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:34.113810+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:34.210981+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:34.247685+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:34.409430+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:36.590531+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:36.834009+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:40.629246+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:40.742587+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:40.762607+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:40.962938+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:41.641215+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:41.775940+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:45.234487+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:45.235577+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:45.236262+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:45.236443+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:45.244626+010028528701Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T11:21:14.867553+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:21:44.870337+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:14.877686+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:22:44.866407+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:14.943612+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:23:45.299739+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:14.867965+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:45.236262+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              2024-10-31T11:24:45.244626+010028528741Malware Command and Control Activity Detected176.9.162.1254060192.168.2.749864TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T11:22:23.436376+010028531931Malware Command and Control Activity Detected192.168.2.749864176.9.162.1254060TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T11:21:09.372999+010028531921Malware Command and Control Activity Detected192.168.2.749864176.9.162.1254060TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["176.9.162.125"], "Port": "4060", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              Source: ORDER REF_47806798 .exeReversingLabs: Detection: 65%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: ORDER REF_47806798 .exeJoe Sandbox ML: detected
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpackString decryptor: 176.9.162.125
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpackString decryptor: 4060
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpackString decryptor: <123456789>
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpackString decryptor: <Xwormmm>
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpackString decryptor: USB.exe

              Exploits

              barindex
              Source: Yara matchFile source: 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER REF_47806798 .exe PID: 7532, type: MEMORYSTR
              Source: ORDER REF_47806798 .exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.Core.pdb0 source: WER5112.tmp.dmp.8.dr
              Source: Binary string: mscorlib.pdb` source: WER5112.tmp.dmp.8.dr
              Source: Binary string: mscorlib.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.ni.pdbRSDS source: WER5112.tmp.dmp.8.dr
              Source: Binary string: mscorlib.ni.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.Core.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: installutil.exe.4.dr
              Source: Binary string: Microsoft.VisualBasic.pdb- source: WER5112.tmp.dmp.8.dr
              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5112.tmp.dmp.8.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5112.tmp.dmp.8.dr
              Source: Binary string: InstallUtil.pdb source: installutil.exe.4.dr
              Source: Binary string: System.ni.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER5112.tmp.dmp.8.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.Core.ni.pdb source: WER5112.tmp.dmp.8.dr

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.7:49864 -> 176.9.162.125:4060
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.9.162.125:4060 -> 192.168.2.7:49864
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 176.9.162.125:4060 -> 192.168.2.7:49864
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49864 -> 176.9.162.125:4060
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49864 -> 176.9.162.125:4060
              Source: Malware configuration extractorURLs: 176.9.162.125
              Source: global trafficTCP traffic: 192.168.2.7:49864 -> 176.9.162.125:4060
              Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49779
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49984
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: unknownTCP traffic detected without corresponding DNS query: 176.9.162.125
              Source: powershell.exe, 0000000E.00000002.1527917082.0000000006E02000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1582276027.00000000078CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 00000010.00000002.1561683362.00000000032C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro%n
              Source: powershell.exe, 00000010.00000002.1585779834.00000000087F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: powershell.exe, 0000000A.00000002.1465772623.000000000602B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1523894198.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1581510614.0000000007800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000A.00000002.1462577802.0000000005116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1513123275.00000000044E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: InstallUtil.exe, 00000004.00000002.3807167719.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1462577802.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1513123275.0000000004391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1563688392.0000000004E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000A.00000002.1462577802.0000000005116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1513123275.00000000044E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
              Source: powershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1581510614.0000000007800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000A.00000002.1462577802.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1513123275.0000000004391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1563688392.0000000004E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1581510614.0000000007800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000A.00000002.1465772623.000000000602B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1523894198.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

              System Summary

              barindex
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000004.00000002.3802232685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: initial sampleStatic PE information: Filename: ORDER REF_47806798 .exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC30E1091_2_00007FFAAC30E109
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC31758C1_2_00007FFAAC31758C
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC30E5911_2_00007FFAAC30E591
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC310FF91_2_00007FFAAC310FF9
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC301C761_2_00007FFAAC301C76
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC3038401_2_00007FFAAC303840
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC30B0601_2_00007FFAAC30B060
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC3175E31_2_00007FFAAC3175E3
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC3E00001_2_00007FFAAC3E0000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_011942A04_2_011942A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_011948984_2_01194898
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_011913004_2_01191300
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_011918804_2_01191880
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0365B4A010_2_0365B4A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0365B49010_2_0365B490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_042FB49814_2_042FB498
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_042FB48814_2_042FB488
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_033EB4A016_2_033EB4A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_033EB49016_2_033EB490
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7532 -s 1040
              Source: ORDER REF_47806798 .exeStatic PE information: No import functions for PE file found
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1651899047.0000026EAF4B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewStb.exeR vs ORDER REF_47806798 .exe
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1641191958.0000026E9D7AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORDER REF_47806798 .exe
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1643335228.0000026E9DA40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUgovuyal> vs ORDER REF_47806798 .exe
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1651899047.0000026EAFA31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUgovuyal> vs ORDER REF_47806798 .exe
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs ORDER REF_47806798 .exe
              Source: ORDER REF_47806798 .exe, 00000001.00000000.1321264454.0000026E9D6E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewStb.exeR vs ORDER REF_47806798 .exe
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1651899047.0000026EAF919000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUgovuyal> vs ORDER REF_47806798 .exe
              Source: ORDER REF_47806798 .exeBinary or memory string: OriginalFilenameNewStb.exeR vs ORDER REF_47806798 .exe
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000004.00000002.3802232685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@16/21@0/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\installutil.exeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7532
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\4ZrqftQk1xSTve1a
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
              Source: ORDER REF_47806798 .exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: ORDER REF_47806798 .exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ORDER REF_47806798 .exeReversingLabs: Detection: 65%
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeFile read: C:\Users\user\Desktop\ORDER REF_47806798 .exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ORDER REF_47806798 .exe "C:\Users\user\Desktop\ORDER REF_47806798 .exe"
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7532 -s 1040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'installutil.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\installutil.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'installutil.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\installutil.exe'Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: installutil.lnk.4.drLNK file: ..\..\..\..\..\installutil.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: ORDER REF_47806798 .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: ORDER REF_47806798 .exeStatic file information: File size 1184301 > 1048576
              Source: ORDER REF_47806798 .exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.Core.pdb0 source: WER5112.tmp.dmp.8.dr
              Source: Binary string: mscorlib.pdb` source: WER5112.tmp.dmp.8.dr
              Source: Binary string: mscorlib.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.ni.pdbRSDS source: WER5112.tmp.dmp.8.dr
              Source: Binary string: mscorlib.ni.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.Core.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: installutil.exe.4.dr
              Source: Binary string: Microsoft.VisualBasic.pdb- source: WER5112.tmp.dmp.8.dr
              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5112.tmp.dmp.8.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5112.tmp.dmp.8.dr
              Source: Binary string: InstallUtil.pdb source: installutil.exe.4.dr
              Source: Binary string: System.ni.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER5112.tmp.dmp.8.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER5112.tmp.dmp.8.dr
              Source: Binary string: System.Core.ni.pdb source: WER5112.tmp.dmp.8.dr

              Data Obfuscation

              barindex
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Messages.cs.Net Code: Memory
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, Messages.cs.Net Code: Memory
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeCode function: 1_2_00007FFAAC3E0000 push esp; retf 4810h1_2_00007FFAAC3E0312
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0365636D push eax; ret 10_2_03656381
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_03652C70 push 04B807E4h; retf 10_2_03652D0E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_03652CB5 push 04B807E4h; retf 10_2_03652D0E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_042F5DD0 push esp; ret 14_2_042F5DE3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\installutil.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installutil.lnkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installutil.lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\D613E620851C2BBC5ABF 66DBE3B90371FE58CAA957E83C1C1F0ACCE941A36CF140A0F07E64403DD13303Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: ORDER REF_47806798 .exe PID: 7532, type: MEMORYSTR
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory allocated: 26E9DA20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory allocated: 26EB74B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4C60000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 7220000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 5A220000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2174Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7660Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7228Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2450Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6255Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3486Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8272Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1372Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7724Thread sleep time: -24903104499507879s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 368Thread sleep count: 2174 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 368Thread sleep count: 7660 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep count: 6255 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep count: 3486 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5816Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: Amcache.hve.8.drBinary or memory string: VMware
              Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.8.drBinary or memory string: vmci.sys
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
              Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: InstallUtil.exe, 00000004.00000002.3802923240.0000000000E89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.8.drBinary or memory string: VMware20,1
              Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: ORDER REF_47806798 .exe, 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
              Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: ORDER REF_47806798 .exe, -----.csReference to suspicious API methods: GetProcAddress(_3358_33DF_2F43_2F93_2F4D_2FA7_2EA6_32E8_32CC, _2F13_2F51_2F0A_334B_33DA_2F5A_3376_330B_327A_33C1)
              Source: ORDER REF_47806798 .exe, -----.csReference to suspicious API methods: LoadLibrary(_3387_2E9F_2FCF_3337_322F_2EED_2FCB_327F_2F54[_326E_2F32_3242_2F66_2EAA_32DA._2F7A_31E7_3232_3331_2EBA_2EDC_2EE4])
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
              Source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\installutil.exe'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\installutil.exe'Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AF2008Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'installutil.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\installutil.exe'Jump to behavior
              Source: InstallUtil.exe, 00000004.00000002.3807167719.0000000002D5B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3807167719.0000000002CBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: InstallUtil.exe, 00000004.00000002.3807167719.0000000002D5B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3807167719.0000000002CBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
              Source: InstallUtil.exe, 00000004.00000002.3807167719.0000000002D5B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3807167719.0000000002CBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: InstallUtil.exe, 00000004.00000002.3807167719.0000000002D5B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3807167719.0000000002CBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: InstallUtil.exe, 00000004.00000002.3807167719.0000000002D5B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.3807167719.0000000002CBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeQueries volume information: C:\Users\user\Desktop\ORDER REF_47806798 .exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ORDER REF_47806798 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3802232685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3807167719.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER REF_47806798 .exe PID: 7532, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7732, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.ORDER REF_47806798 .exe.26e9f53c718.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.ORDER REF_47806798 .exe.26e9f5338b0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3802232685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3807167719.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER REF_47806798 .exe PID: 7532, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7732, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation
              2
              Registry Run Keys / Startup Folder
              312
              Process Injection
              1
              Masquerading
              1
              Input Capture
              131
              Security Software Discovery
              Remote Services1
              Input Capture
              1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API
              1
              DLL Side-Loading
              2
              Registry Run Keys / Startup Folder
              1
              Modify Registry
              LSASS Memory2
              Process Discovery
              Remote Desktop Protocol11
              Archive Collected Data
              1
              Non-Standard Port
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell
              Logon Script (Windows)1
              DLL Side-Loading
              11
              Disable or Modify Tools
              Security Account Manager41
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook41
              Virtualization/Sandbox Evasion
              NTDS1
              Application Window Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script312
              Process Injection
              LSA Secrets1
              File and Directory Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Deobfuscate/Decode Files or Information
              Cached Domain Credentials13
              System Information Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Obfuscated Files or Information
              DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
              Software Packing
              Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              DLL Side-Loading
              /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545992 Sample: ORDER REF_47806798 .exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 14 other signatures 2->45 8 ORDER REF_47806798 .exe 3 2->8         started        process3 signatures4 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->49 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Injects a PE file into a foreign processes 8->55 11 InstallUtil.exe 1 6 8->11         started        16 WerFault.exe 19 16 8->16         started        18 conhost.exe 8->18         started        20 InstallUtil.exe 8->20         started        process5 dnsIp6 37 176.9.162.125, 4060, 49864 HETZNER-ASDE Germany 11->37 35 C:\Users\user\AppData\...\installutil.exe, PE32 11->35 dropped 57 Bypasses PowerShell execution policy 11->57 59 Adds a directory exclusion to Windows Defender 11->59 22 powershell.exe 23 11->22         started        25 powershell.exe 23 11->25         started        27 powershell.exe 23 11->27         started        file7 signatures8 process9 signatures10 47 Loading BitLocker PowerShell Module 22->47 29 conhost.exe 22->29         started        31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        process11

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              ORDER REF_47806798 .exe66%ReversingLabsByteCode-MSIL.Backdoor.Xworm
              ORDER REF_47806798 .exe100%Joe Sandbox ML
              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\installutil.exe0%ReversingLabs
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://crl.micro0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              199.232.214.172
              truefalse
                unknown
                NameMaliciousAntivirus DetectionReputation
                176.9.162.125true
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.1465772623.000000000602B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1523894198.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://crl.micropowershell.exe, 0000000E.00000002.1527917082.0000000006E02000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1582276027.00000000078CD000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1581510614.0000000007800000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000A.00000002.1462577802.0000000005116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1513123275.00000000044E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://aka.ms/pscore6lBpowershell.exe, 0000000A.00000002.1462577802.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1513123275.0000000004391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1563688392.0000000004E21000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://crl.microsoftpowershell.exe, 00000010.00000002.1585779834.00000000087F2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1581510614.0000000007800000.00000004.00000020.00020000.00000000.sdmpfalse
                    unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000A.00000002.1462577802.0000000005116000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1513123275.00000000044E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://contoso.com/powershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.1465772623.000000000602B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1523894198.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://contoso.com/Licensepowershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://contoso.com/Iconpowershell.exe, 00000010.00000002.1576920828.0000000005E8A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://upx.sf.netAmcache.hve.8.drfalse
                    • URL Reputation: safe
                    unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000004.00000002.3807167719.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1462577802.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1513123275.0000000004391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1563688392.0000000004E21000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.1563688392.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1581510614.0000000007800000.00000004.00000020.00020000.00000000.sdmpfalse
                      unknown
                      http://crl.micro%npowershell.exe, 00000010.00000002.1561683362.00000000032C6000.00000004.00000020.00020000.00000000.sdmpfalse
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        176.9.162.125
                        unknownGermany
                        24940HETZNER-ASDEtrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1545992
                        Start date and time:2024-10-31 11:19:24 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 19s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:22
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:ORDER REF_47806798 .exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winEXE@16/21@0/1
                        EGA Information:
                        • Successful, ratio: 40%
                        HCA Information:
                        • Successful, ratio: 87%
                        • Number of executed functions: 237
                        • Number of non-executed functions: 38
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption
                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 88.221.110.91, 2.16.100.168, 13.89.179.12, 199.232.214.172
                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
                        • Execution Graph export aborted for target powershell.exe, PID 6024 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7308 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7984 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • VT rate limit hit for: ORDER REF_47806798 .exe
                        TimeTypeDescription
                        06:20:44API Interceptor42x Sleep call for process: powershell.exe modified
                        07:44:17API Interceptor1x Sleep call for process: WerFault.exe modified
                        07:44:18API Interceptor6061834x Sleep call for process: InstallUtil.exe modified
                        12:44:16AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\installutil.lnk
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        bg.microsoft.map.fastly.netPROFORMA FATURA pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                        • 199.232.210.172
                        Orden de compra.xla.xlsxGet hashmaliciousUnknownBrowse
                        • 199.232.210.172
                        Orden de compra.xla.xlsxGet hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        4266212121326821689.jsGet hashmaliciousStrela DownloaderBrowse
                        • 199.232.214.172
                        16804547213639850.jsGet hashmaliciousStrela DownloaderBrowse
                        • 199.232.210.172
                        https://invite.bublup.com/q6fU7gLtMrfSGet hashmaliciousHTMLPhisherBrowse
                        • 199.232.210.172
                        Proposal From SIOLI Alexander Pino#U2026.pdfGet hashmaliciousUnknownBrowse
                        • 199.232.210.172
                        184085606271511815.jsGet hashmaliciousStrela DownloaderBrowse
                        • 199.232.210.172
                        new order - PO 351081.exeGet hashmaliciousAgentTeslaBrowse
                        • 199.232.214.172
                        UCLouvain.onepkgGet hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HETZNER-ASDEhttp://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                        • 5.9.110.184
                        http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                        • 5.9.110.184
                        http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                        • 5.9.110.184
                        http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                        • 5.9.110.184
                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                        • 144.76.190.39
                        https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/fileGet hashmaliciousUnknownBrowse
                        • 148.251.20.70
                        Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                        • 144.76.190.39
                        wZU2edEGL3.elfGet hashmaliciousUnknownBrowse
                        • 144.79.90.34
                        http://199.59.243.227Get hashmaliciousHTMLPhisherBrowse
                        • 188.40.167.81
                        na.elfGet hashmaliciousMiraiBrowse
                        • 46.4.195.6
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Roaming\installutil.exechiara.exeGet hashmaliciousCryptOne, DarkTortilla, Mofksys, XWormBrowse
                          Bank Details.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            Signed Document..exeGet hashmaliciousRemcos, DarkTortilla, PureLog StealerBrowse
                              PO CONTRACT.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                image.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                  ABA NEW ORDER No.2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                                    09099627362726.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                        719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                          ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):65536
                                            Entropy (8bit):0.9995581153090793
                                            Encrypted:false
                                            SSDEEP:96:fXFpd1lobss2jPoNy/qWRQXIDcQqc6jcEOcw3WdoY+BHUHZ0ownOgFkEwH3d2FYF:vB1GsG0UnUlaWBNbgW1zuiFRZ24lO8S
                                            MD5:DB6E781F6995340EF7D133DD5A76B736
                                            SHA1:65D1E42E5A7A44C8D80D4EDD245CF3844BF3268C
                                            SHA-256:7E8AD1EDFB3F1C3B07B9E9941A2E833E862E0550A7FBFD54F02FAA8ED0C9A8B0
                                            SHA-512:D59AB8CB44684F5AE88339D786DE4AD44EE774F4A5BB0F7724896FF07DF1033675B43274EB4E13A76B12AE39D2AC1C55C70E511BFA9E06CC31A001DDF4AA1F21
                                            Malicious:false
                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.4.3.6.4.0.7.4.0.1.3.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.4.3.6.4.2.4.1.2.0.1.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.9.3.4.0.f.7.-.a.e.8.6.-.4.d.a.8.-.8.c.7.e.-.8.4.c.7.5.c.b.3.2.6.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.9.b.6.e.d.3.-.1.d.b.e.-.4.a.1.2.-.b.c.e.9.-.2.1.e.c.e.8.f.b.d.5.6.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.O.R.D.E.R. .R.E.F._.4.7.8.0.6.7.9.8. ...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.e.w.S.t.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.c.-.0.0.0.1.-.0.0.1.4.-.c.b.c.6.-.e.7.8.4.7.e.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.f.e.4.a.c.3.a.4.9.4.8.c.8.b.0.0.6.d.9.6.5.1.e.4.b.d.b.2.5.4.d.0.0.0.0.0.0.0.0.!.0.0.0.0.a.6.e.8.5.b.7.3.d.f.b.c.0.4.9.4.f.4.3.5.f.e.2.e.7.8.b.d.b.4.9.7.7.a.4.a.2.f.e.5.!.O.R.D.
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Mini DuMP crash report, 16 streams, Thu Oct 31 10:20:41 2024, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):390089
                                            Entropy (8bit):3.2912184244624996
                                            Encrypted:false
                                            SSDEEP:3072:JdFuuFfymNJGlHeJ4clCAWcSU2u0fgww51CCq+nc/3+vZ8VvG:tuuFfymNJOEMHUww5qR/3QZ8V+
                                            MD5:3852E77BABB023D2085D0D4DD1B4B48D
                                            SHA1:BF93B20285F8BE511C12F1BF501160A7932650A9
                                            SHA-256:ED16C7FAFBC4AE3004E448E06D3719AD0174987D95E2836B726BA21871C10ED0
                                            SHA-512:844C3F366D73C706F4DAA9B6AF4FCDB7BA0852C8A1C3CB152167A3A11A0BAE98B01B30504D75266AC42AF8A7A27D25BE630B5EEB34FA8910BA3043F4976F04BE
                                            Malicious:false
                                            Preview:MDMP..a..... ........Y#g....................................$...............(.......DH..&w..........l.......8...........T............(...............:...........;..............................................................................eJ.......<......Lw......................T.......l....Y#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8636
                                            Entropy (8bit):3.714891800419031
                                            Encrypted:false
                                            SSDEEP:192:R6l7wVeJJIEo6YNZ9WFKGgmfPqXcprH89bT9tfuxm:R6lXJmB6Yz9WJgmfPqXBTHfp
                                            MD5:346EB46CFD3E9B43D8E5C626AFB44B27
                                            SHA1:23E3861A3808ED3DD8A428E9E0CE6A4ABF9849E5
                                            SHA-256:6081A4CE9FADE207EDDC1879687E0A67E2C8647F989255A7AE25E47354D90FAB
                                            SHA-512:8CAC64E44179C5D272E84428D75081E91AE36CB84EAC5CA33F5318F8C32E29753257EEA1AA38AC4808A3A3792060F1CCB535FEE6C786AE1A974A016CA20D0811
                                            Malicious:false
                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.3.2.<./.P.i.
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4799
                                            Entropy (8bit):4.538388927532737
                                            Encrypted:false
                                            SSDEEP:48:cvIwWl8zsbJg771I9wLWpW8VYdvYm8M4J0AFFyq85KCHB5yAd:uIjf1I7767VeyJFCH/yAd
                                            MD5:CDCCEA53731A7C6E207DE6FE5203AE8A
                                            SHA1:AF2A122824929BD57F02A65B666DCF940ACDD3EE
                                            SHA-256:820DDC0EBCDEB47EBE3F89E963012518B5D60E16AB552A9808012C2AB7A3272E
                                            SHA-512:C9375B374A8405BDADEE21B46D3841B8AFB5698A9530FC194B125156196DD56E854CAFBED276EA3FC09C4430DB102211062D89421B11A3AED27182E1B18F9156
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567443" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):2232
                                            Entropy (8bit):5.380192968514367
                                            Encrypted:false
                                            SSDEEP:48:SWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:SLHyIFKL3IZ2KRH9Oug8s
                                            MD5:49F7BCE10B1F4950A3BD7EF52253D2E1
                                            SHA1:64D9596B594ECD3CEF9863586C1C31F770721286
                                            SHA-256:197EDEFE575601F9DCDC0CE5333E384E79C4D7C0DB15CF8F780EA9606E098C11
                                            SHA-512:C215099D89200F134FA4E1ADC75F4684D7A8D65B8D36FD14087A4B2D90C11F247AC77C221021B5EF8ECA82296759FBBA6EEB169FEA26DA426025946F9C9B7A00
                                            Malicious:false
                                            Preview:@...e.................................K..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):29
                                            Entropy (8bit):3.598349098128234
                                            Encrypted:false
                                            SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                            MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                            SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                            SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                            SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                            Malicious:false
                                            Preview:....### explorer ###..[WIN]r
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 10:44:14 2024, mtime=Thu Oct 31 10:44:14 2024, atime=Thu Oct 31 10:44:14 2024, length=42064, window=hide
                                            Category:dropped
                                            Size (bytes):790
                                            Entropy (8bit):5.138096667212037
                                            Encrypted:false
                                            SSDEEP:12:88rzuh641N+2ChiAi1Y//KKoLsLlRMiFjEjAtVNH1Rio8pJwpJzBmV:88rCu2XA92sxQAtH8pJwpJtm
                                            MD5:517700C40D8403BAF6CDC62F0543C97E
                                            SHA1:01CD4E2BA6278F87F2E7918687B44A1E8C0851AC
                                            SHA-256:48D6D7DFA008D7887E534476DE02FB2EFB5FCA2794C8B17DDC6AC3D4A6D76482
                                            SHA-512:F997065517C2FEB4AD708803E4D73F198A0E9ADF528F1F69D60C5DFE71B3AB24F1ACA665BC843962642E90AAC8D8F432D8226906F883FDDCFBA44F7E81B63714
                                            Malicious:false
                                            Preview:L..................F.... ....p.5.+...p.5.+...p.5.+..P.........................:..DG..Yr?.D..U..k0.&...&......Qg.*_...^.d.~+..[5.5.+......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=_Y.]..........................3*N.A.p.p.D.a.t.a...B.V.1....._Y.R..Roaming.@......EW.=_Y.R..............................R.o.a.m.i.n.g.....l.2.P..._Y.] .INSTAL~1.EXE..P......_Y.]_Y.]..........................F7..i.n.s.t.a.l.l.u.t.i.l...e.x.e.......a...............-.......`...........[..b.....C:\Users\user\AppData\Roaming\installutil.exe........\.....\.....\.....\.....\.i.n.s.t.a.l.l.u.t.i.l...e.x.e.`.......X.......226546...........hT..CrF.f4... .6../Tc...,......hT..CrF.f4... .6../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):42064
                                            Entropy (8bit):6.19564898727408
                                            Encrypted:false
                                            SSDEEP:384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
                                            MD5:5D4073B2EB6D217C19F2B22F21BF8D57
                                            SHA1:F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
                                            SHA-256:AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
                                            SHA-512:9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: chiara.exe, Detection: malicious, Browse
                                            • Filename: Bank Details.exe, Detection: malicious, Browse
                                            • Filename: Signed Document..exe, Detection: malicious, Browse
                                            • Filename: PO CONTRACT.exe, Detection: malicious, Browse
                                            • Filename: image.exe, Detection: malicious, Browse
                                            • Filename: ABA NEW ORDER No.2400228341.pdf.exe, Detection: malicious, Browse
                                            • Filename: 09099627362726.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, Detection: malicious, Browse
                                            • Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, Detection: malicious, Browse
                                            • Filename: ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):1835008
                                            Entropy (8bit):4.41690536851467
                                            Encrypted:false
                                            SSDEEP:6144:1cifpi6ceLPL9skLmb0mYSWSPtaJG8nAgex285i2MMhA20X4WABlGuNT5+:Si58YSWIZBk2MM6AFBZo
                                            MD5:D7792EC5426851516A43C03DC2A294D4
                                            SHA1:7E34B1FC380A944AB1DAA29D40F3737815DE1B4B
                                            SHA-256:BEC47E60823B5764385D10939BE95CDE6FDE2FEB65C42FB7670A3899D3632B2D
                                            SHA-512:30CB349A8A684E760A4AC4F332144DE7938130532593819178E06B2A7DF838D3BCF3DDAFCBF634075591E93B5041513B88A33DE27184B503CEC4C817E53E974F
                                            Malicious:false
                                            Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf.9.~+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.581265550903216
                                            TrID:
                                            • Win64 Executable Console Net Framework (206006/5) 48.58%
                                            • Win64 Executable Console (202006/5) 47.64%
                                            • Win64 Executable (generic) (12005/4) 2.83%
                                            • Generic Win/DOS Executable (2004/3) 0.47%
                                            • DOS Executable Generic (2002/1) 0.47%
                                            File name:ORDER REF_47806798 .exe
                                            File size:1'184'301 bytes
                                            MD5:b1409192281b85ae112868f828087864
                                            SHA1:a6e85b73dfbc0494f435fe2e78bdb4977a4a2fe5
                                            SHA256:3721299ab8cab7453d4781c5d3acc4304dffd8335164fbdfc31c80959cb0b35b
                                            SHA512:509ad61d75da81b46ce50ab32f787b6bbf0763a5dfe9e7c2ce0791b7a5006af8529c3b54fb3ec76a3709dbf8b9562b1150fae50a59bf9eb2f56529b98ea56ebf
                                            SSDEEP:12288:1CaR45KgL9fLyT+o2+gmuQIIq65/PKtfCnbMtqL:c2gBfLxHBQIf6pihCIc
                                            TLSH:0245011572AB8C5BFD9D4679D8E87AF406FE4E0372F2A69FCF842C8905223BD4051972
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...-..g.........."...0.P................ ....@...... .......................@............`................................
                                            Icon Hash:00928e8e8686b000
                                            Entrypoint:0x400000
                                            Entrypoint Section:
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x671FEF2D [Mon Oct 28 20:08:13 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:
                                            Instruction
                                            dec ebp
                                            pop edx
                                            nop
                                            add byte ptr [ebx], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax+eax], al
                                            add byte ptr [eax], al
                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x606.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xe4500xe60003f2af8ad729d67d326d51d9d260b00aFalse0.6006114130434783data6.457244168656721IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x120000x6060x800609a754a5a6818941b5a51503fca6d6fFalse0.33740234375data3.456711313513106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x120a00x37cdata0.42937219730941706
                                            RT_MANIFEST0x1241c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-10-31T11:20:52.264049+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.749779TCP
                                            2024-10-31T11:21:09.372999+01002853192ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound1192.168.2.749864176.9.162.1254060TCP
                                            2024-10-31T11:21:14.867553+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:21:14.867553+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:21:16.595583+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749864176.9.162.1254060TCP
                                            2024-10-31T11:21:17.863825+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:21:27.394699+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:21:31.267330+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.749984TCP
                                            2024-10-31T11:21:37.994960+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:21:44.870337+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:21:44.870337+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:21:48.619964+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:21:59.245185+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:08.666723+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:14.877686+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:14.877686+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:17.047605+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:17.761011+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:17.917693+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:18.337735+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:18.450458+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:18.472273+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:19.432219+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:19.567221+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:19.912831+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:20.805164+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:20.989357+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:21.050532+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:21.124756+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:21.349286+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:22.159982+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:22.655113+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:23.436376+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749864176.9.162.1254060TCP
                                            2024-10-31T11:22:23.705151+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:25.037531+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:26.939182+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:27.296811+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:27.431632+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:28.282546+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:30.018269+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:30.459106+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:33.783847+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:34.447765+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:36.381247+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:36.516183+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:36.822950+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:36.957661+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:41.047520+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:43.745679+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:43.880436+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:44.714276+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:44.866407+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:44.866407+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:46.452960+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:46.587620+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:46.784691+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:46.920008+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:47.006218+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:47.061060+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:47.195912+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:49.044118+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:49.557850+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:51.870632+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:52.356139+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:58.552469+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:22:58.780972+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:02.750312+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:03.053478+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:04.864026+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:05.619132+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:06.050850+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:08.309898+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:08.624086+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:09.601706+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:11.572077+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:11.877830+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:12.145004+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:14.457633+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:14.592526+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:14.943612+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:14.943612+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:15.073391+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:15.484001+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:16.382948+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:18.480610+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:18.616623+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:19.393144+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:20.497929+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:21.205348+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:21.649460+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:23.474843+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:23.609845+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:26.387258+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:26.620703+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:26.755507+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:27.169715+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:27.710491+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:27.905689+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:28.550053+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:28.684817+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:29.986962+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:32.549262+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:33.289379+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:35.566249+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:36.553866+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:36.688785+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:36.823671+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:37.860410+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:38.127812+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:38.684710+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:39.991935+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:40.711570+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:41.293376+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:42.260947+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:42.542904+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:43.504185+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:43.638865+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:45.164720+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:45.299739+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:45.299739+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:45.693135+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:47.223680+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:47.357343+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:47.491865+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:47.614417+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:48.247327+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:48.866755+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:49.418093+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:50.571040+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:50.705902+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:51.305052+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:51.439721+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:52.474405+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:52.608986+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:55.223926+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:55.980671+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:56.776013+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:58.327048+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:58.632145+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:23:59.388075+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:00.274247+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:01.287260+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:01.505167+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:01.522863+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:01.585507+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:01.639820+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:01.720387+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:04.510676+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:04.645387+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:06.977984+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:07.634093+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:08.022091+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:08.156909+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:09.363550+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:09.497685+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:09.912424+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:10.196429+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:10.331125+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:10.603205+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:11.334978+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:11.474652+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:11.604506+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:11.625591+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:11.760539+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:12.166159+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:12.270313+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:12.299479+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:13.406657+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:13.769609+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:14.293957+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:14.867965+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:14.867965+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:15.311521+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:15.446284+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:16.307057+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:16.782125+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:17.379738+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:17.704994+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:17.705479+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:17.721237+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:17.833422+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:18.181397+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:19.458637+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:19.593241+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:20.166545+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:20.182700+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:20.251761+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:20.301138+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:21.338219+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:21.560188+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:21.694966+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:22.237497+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:23.498845+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:23.633299+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:24.140809+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:25.234436+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:26.968263+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:27.579282+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:29.338859+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:29.549792+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:30.090024+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:30.263136+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:30.438810+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:30.687712+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:31.453412+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:31.588050+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:31.763806+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:33.343031+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:33.454721+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:33.475972+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:33.589092+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:34.113810+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:34.210981+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:34.247685+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:34.409430+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:36.590531+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:36.834009+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:40.629246+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:40.742587+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:40.762607+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:40.962938+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:41.641215+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:41.775940+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:45.234487+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:45.235577+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:45.236262+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:45.236262+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:45.236443+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:45.244626+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1176.9.162.1254060192.168.2.749864TCP
                                            2024-10-31T11:24:45.244626+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21176.9.162.1254060192.168.2.749864TCP
                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 31, 2024 11:21:05.656276941 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:05.661106110 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:05.661273956 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:05.878242970 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:05.883120060 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.362122059 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.372998953 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.377963066 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835547924 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835608959 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835618973 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835635900 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835652113 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835656881 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.835664034 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835678101 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835678101 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.835691929 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.835710049 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.835726023 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.836090088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.836112022 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.836124897 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.836162090 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.840575933 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.840600014 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.840655088 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.951353073 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.951383114 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.951482058 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.970686913 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.970710039 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.970722914 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.970733881 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.970745087 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.970767021 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.970808983 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.971003056 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971084118 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971096039 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971107960 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971118927 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971122026 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.971139908 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.971862078 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971873999 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971885920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971916914 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.971946955 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.971987009 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.971998930 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.972049952 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.972595930 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.972690105 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.972702026 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.972712994 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.972727060 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.972734928 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.972757101 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.975635052 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.975647926 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.975661039 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:09.975683928 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:09.975707054 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.067486048 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.067591906 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.067604065 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.067635059 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.105815887 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.105834007 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.105845928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.105858088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.105869055 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.105875969 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.105880022 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.105891943 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.105916977 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.105956078 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.105968952 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106029987 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106070042 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106122971 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106133938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106144905 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106157064 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106182098 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106205940 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106331110 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106343985 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106355906 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106391907 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106400967 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106405973 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106427908 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106712103 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106724024 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106738091 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106769085 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106770992 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106784105 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106794119 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106794119 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106806993 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106817961 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106820107 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106847048 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106854916 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106859922 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106870890 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106883049 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.106890917 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.106913090 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.107686043 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107698917 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107733011 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.107753992 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107765913 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107778072 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107789993 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107791901 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.107800961 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107815027 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107819080 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.107840061 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.107882977 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107893944 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107903957 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107916117 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.107923985 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.107944965 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.110644102 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.110676050 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.110687971 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.110698938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.110716105 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.110738993 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.182495117 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.182518005 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.182531118 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.182542086 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.182554960 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.182596922 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.220762968 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.220841885 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240227938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240256071 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240267038 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240303993 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240314960 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240328074 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240331888 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240339994 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240355015 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240395069 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240438938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240448952 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240461111 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240473032 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240478039 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240483046 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240499020 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240513086 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240525961 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240705967 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240716934 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240742922 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240746975 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240758896 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240768909 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240782976 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240803957 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240931034 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240942001 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240958929 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240971088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240982056 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.240993977 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.240994930 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241013050 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241035938 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241075993 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241126060 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241137028 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241154909 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241198063 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241209030 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241233110 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241309881 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241322041 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241333008 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241347075 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241347075 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241369009 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241372108 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241379976 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241413116 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241457939 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241468906 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241486073 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241496086 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241497993 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241507053 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241533041 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241559029 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241661072 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241689920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241707087 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241719007 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241727114 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241734028 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241764069 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241765022 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241786957 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241800070 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241873980 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241884947 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241898060 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.241906881 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241931915 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.241965055 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.245294094 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.245337963 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.245348930 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.245357990 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.245366096 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.245378017 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.245383978 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.245388985 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.245409012 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246037006 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246076107 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246150970 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246162891 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246175051 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246189117 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246198893 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246205091 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246211052 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246228933 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246234894 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246241093 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246253014 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246260881 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246263981 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246274948 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246275902 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246285915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246293068 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246298075 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246299028 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246308088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246316910 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246323109 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246341944 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246352911 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246381998 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246443987 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246454954 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246467113 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246484995 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246494055 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.246815920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.246992111 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247003078 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247014999 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247025013 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247026920 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.247036934 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247046947 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.247050047 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247061968 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247072935 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247075081 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.247083902 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247096062 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247106075 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247112036 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.247117996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247128963 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247138977 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.247143030 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.247157097 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.247178078 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.250251055 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.250263929 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.250277996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.250289917 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.250305891 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.250329971 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.252770901 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.297940016 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.297960997 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.297976017 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.298007011 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.298016071 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.298017979 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.298029900 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.298031092 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.298072100 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375164032 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375179052 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375227928 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375377893 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375515938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375535011 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375546932 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375551939 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375557899 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375569105 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375580072 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375580072 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375592947 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375598907 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375608921 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375622034 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375632048 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375632048 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375649929 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375663996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375670910 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375674009 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375684977 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375694036 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375698090 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.375730038 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.375758886 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376585007 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376596928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376607895 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376619101 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376631975 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376642942 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376648903 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376656055 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376668930 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376684904 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376694918 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376717091 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376728058 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376738071 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376749992 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376760960 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376771927 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376773119 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376785040 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376796007 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376801968 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376813889 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376823902 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376832008 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376836061 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376847029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376852989 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376888037 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376898050 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.376898050 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376909971 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376915932 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376921892 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.376928091 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.377002954 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.380088091 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380105972 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380156994 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.380646944 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380657911 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380676031 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380686045 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380696058 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380696058 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.380706072 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380716085 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.380718946 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380734921 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380744934 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.380745888 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380759001 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380767107 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.380769968 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380780935 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380793095 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380798101 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.380804062 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380815029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.380824089 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.380855083 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.381606102 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381617069 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381633997 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381642103 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.381644964 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381654978 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381673098 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.381694078 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.381819963 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381830931 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381840944 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381866932 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.381870031 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381882906 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381892920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381899118 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.381917953 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.381998062 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.382158995 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382169962 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382180929 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382199049 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.382215023 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382225990 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382235050 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382241011 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.382246017 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382252932 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.382260084 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382271051 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382282019 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382288933 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382308006 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382318020 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382318974 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.382329941 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382338047 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.382369041 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.382483959 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382496119 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.382519007 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.384913921 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.384954929 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.384954929 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.385787010 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.385797977 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.385811090 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.385828018 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.385843039 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.385848045 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.385859013 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.385869026 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.385890007 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.413424015 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413445950 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413456917 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413467884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413480043 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413484097 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.413506031 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413518906 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.413520098 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413531065 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413536072 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413542032 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.413557053 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.413605928 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491143942 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491161108 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491173029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491183996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491195917 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491206884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491219044 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491225958 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491271973 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491332054 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491348982 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491359949 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491364956 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491372108 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491384029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491389990 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491394997 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491408110 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491420031 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491422892 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491430998 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491442919 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491442919 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491456032 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491466999 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491478920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491481066 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491513968 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491528988 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491555929 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491568089 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491578102 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491589069 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491600037 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491606951 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491619110 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491627932 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491631985 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491642952 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491647959 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491655111 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491664886 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491677999 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491683960 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491692066 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491713047 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491725922 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491730928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491743088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491776943 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491776943 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491795063 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491806984 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491820097 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491831064 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491832972 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491839886 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.491856098 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.491869926 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.492238998 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.492249966 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.492260933 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.492300034 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497123957 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497137070 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497149944 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497174025 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497179985 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497185946 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497198105 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497210026 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497217894 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497236967 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497256041 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497282982 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497294903 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497306108 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497318029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497328997 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497329950 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497342110 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497350931 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497354031 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497364998 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497379065 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497390032 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497390985 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497400045 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497433901 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.497637987 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497664928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497677088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.497704029 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.498579979 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498591900 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498604059 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498621941 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.498651028 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.498653889 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498665094 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498676062 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498687029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498698950 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498699903 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.498709917 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.498719931 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.498747110 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.510240078 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510282040 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510293961 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510304928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510318995 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510324955 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.510330915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510343075 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.510368109 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.510757923 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510859013 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510869026 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510885000 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510893106 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.510896921 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510909081 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510921955 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.510948896 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.510972023 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510983944 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.510994911 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511012077 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511015892 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.511024952 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511035919 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511043072 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.511049032 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511059046 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511069059 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.511071920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511084080 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511095047 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511097908 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.511118889 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.511459112 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511493921 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.511503935 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.512196064 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.529493093 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.529506922 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.529517889 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.529531002 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.529542923 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.529557943 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.529608011 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.573012114 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.573026896 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.573038101 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.573065042 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606235027 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606250048 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606268883 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606281996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606292963 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606303930 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606304884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606323957 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606337070 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606348991 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606350899 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606362104 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606369019 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606370926 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606383085 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606386900 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606408119 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606412888 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606424093 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606434107 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606448889 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606471062 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606499910 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606574059 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606585026 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606595993 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606606960 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606611967 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606620073 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606631994 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606633902 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606643915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606658936 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606673002 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606770039 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606779099 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606790066 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606822968 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606828928 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606833935 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606846094 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606859922 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606883049 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606884003 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.606945038 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606956959 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606967926 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606980085 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.606981993 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.607013941 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.607898951 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.607911110 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.607922077 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.607943058 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.607959986 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.607959986 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.607971907 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.607981920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.607994080 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.608002901 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.608011961 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.608022928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.608032942 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.608032942 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.608045101 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.608057022 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.608057976 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.608084917 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612250090 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612262011 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612272978 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612303972 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612340927 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612426996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612443924 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612453938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612466097 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612477064 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612477064 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612488985 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612499952 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612500906 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612510920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612521887 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612525940 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612533092 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612544060 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612554073 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612555981 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612565994 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612565994 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612581968 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612593889 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612601042 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612612963 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612747908 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612776041 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612782955 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.612787008 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.612828970 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.614078999 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.614137888 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.614149094 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:10.614188910 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:10.659986973 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:11.094216108 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:11.100167036 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:14.867552996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:14.910131931 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:16.595582962 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:16.816322088 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:17.128797054 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:17.612834930 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:17.612854958 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:17.612868071 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:17.863825083 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:17.910125971 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:27.113987923 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:27.118947029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:27.394699097 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:27.441385984 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:37.738759041 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:37.743839979 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:37.994960070 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:38.035116911 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:44.870337009 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:44.910233021 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:48.363610029 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:48.368724108 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:48.619963884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:48.663994074 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:58.988583088 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:21:58.993638039 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:59.245184898 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:21:59.286006927 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:08.410579920 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:08.415450096 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:08.666723013 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:08.707097054 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:14.877686024 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:15.019681931 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:16.789333105 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:16.795150042 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:17.047605038 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:17.222786903 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:17.504534006 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:17.509509087 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:17.661309958 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:17.666390896 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:17.761010885 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:17.876853943 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:17.917692900 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:17.993813992 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:18.070977926 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:18.075988054 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:18.086210012 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:18.091630936 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:18.194561005 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:18.201108932 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:18.337734938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:18.410305023 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:18.450458050 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:18.472273111 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:18.472402096 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:19.176150084 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:19.181078911 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:19.251635075 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:19.256644011 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:19.432219028 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:19.467283964 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:19.472278118 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:19.567220926 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:19.722790003 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:19.912831068 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:19.974509001 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:20.536484957 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:20.541625977 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:20.733453035 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:20.738507986 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:20.742841959 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:20.747709990 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:20.794831991 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:20.799716949 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:20.805164099 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:20.910336971 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:20.989356995 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:21.050532103 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:21.050645113 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:21.092864990 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:21.124756098 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:21.222809076 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:21.349286079 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:21.410295010 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:21.903985977 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:21.953053951 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:22.159981966 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:22.204489946 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:22.398288965 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:22.403395891 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:22.655112982 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:22.722820044 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:23.436376095 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:23.441344976 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:23.705151081 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:23.910347939 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:24.691298962 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:24.696314096 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:25.037530899 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:25.222806931 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:26.676666021 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:26.681751013 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:26.939182043 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:27.019690990 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:27.040709019 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:27.045759916 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:27.101537943 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:27.106456041 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:27.296811104 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:27.410330057 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:27.431632042 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:27.519702911 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:28.024847031 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:28.029840946 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:28.282546043 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:28.410347939 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:29.761903048 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:29.766843081 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:30.018269062 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:30.164763927 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:30.203114986 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:30.208072901 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:30.459105968 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:30.577596903 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:33.527604103 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:33.532526970 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:33.783847094 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:34.019731045 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:34.191188097 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:34.196170092 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:34.447765112 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:34.519723892 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:36.124526024 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:36.129658937 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:36.166555882 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:36.171581984 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:36.381247044 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:36.516182899 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:36.516247988 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:36.566849947 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:36.571893930 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:36.674228907 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:36.679224968 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:36.822949886 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:36.926001072 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:36.957660913 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:37.099494934 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:40.791155100 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:40.795968056 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:41.047519922 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:41.218031883 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:43.438410997 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:43.494106054 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:43.604914904 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:43.609874010 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:43.745678902 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:43.880435944 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:43.883229017 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:44.457958937 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:44.462897062 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:44.714276075 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:44.842333078 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:44.866406918 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:45.019774914 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.195291042 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.200267076 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.250983953 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.255948067 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.452960014 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.519789934 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.528664112 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.533487082 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.533725023 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.538574934 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.587620020 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.642807007 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.736252069 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.749329090 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.749603987 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.755337954 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.784691095 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.920007944 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:46.920073032 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.939462900 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:46.985121965 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:47.006217957 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:47.061059952 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:47.061151028 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:47.195911884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:47.410485983 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:48.787111998 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:48.791997910 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:49.044117928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:49.091356039 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:49.301759958 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:49.306655884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:49.557849884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:49.722925901 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:51.614033937 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:51.619103909 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:51.870631933 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:52.019812107 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:52.099833965 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:52.104607105 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:52.356138945 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:52.400018930 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:58.295957088 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:58.300780058 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:58.524733067 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:58.530586958 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:58.552469015 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:58.613607883 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:22:58.780972004 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:22:59.019963980 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:02.488120079 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:02.533015966 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:02.683166027 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:02.688015938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:02.750312090 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:02.910518885 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:03.053478003 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:03.194830894 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:04.521460056 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:04.529520988 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:04.864026070 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:04.937549114 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:05.363198996 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:05.368060112 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:05.619132042 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:05.722976923 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:05.794569969 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:05.800112009 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:06.050849915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:06.152486086 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:08.053663969 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:08.058547974 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:08.309897900 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:08.367805004 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:08.372839928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:08.624085903 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:08.723193884 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:09.345655918 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:09.350543976 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:09.601706028 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:09.723072052 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:11.096414089 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:11.101336002 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:11.572077036 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:11.613672972 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:11.621877909 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:11.627850056 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:11.877830029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:11.888637066 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:11.893541098 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:12.145004034 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:12.223047972 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:14.201627970 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:14.206636906 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:14.258369923 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:14.264580965 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:14.457633018 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:14.592525959 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:14.592606068 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:14.628331900 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:14.634013891 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:14.943612099 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:15.019917011 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:15.073390961 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:15.161075115 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:15.224843025 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:15.229722023 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:15.484000921 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:15.723120928 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:16.123073101 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:16.130949020 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:16.382947922 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:16.519910097 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:18.223643064 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:18.228465080 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:18.338119030 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:18.343050003 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:18.480609894 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:18.616622925 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:18.616833925 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:19.136759043 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:19.141652107 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:19.393143892 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:19.520072937 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:20.228887081 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:20.234034061 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:20.497929096 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:20.613713026 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:20.940737963 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:20.945595026 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:21.205348015 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:21.383233070 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:21.392227888 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:21.397027969 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:21.649460077 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:21.723098993 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:23.219101906 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:23.223901033 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:23.223948002 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:23.228761911 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:23.474843025 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:23.519963980 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:23.609844923 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:23.723211050 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:26.131050110 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:26.136157036 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:26.337749958 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:26.342597008 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:26.357724905 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:26.362577915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:26.387258053 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:26.520041943 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:26.620702982 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:26.723217964 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:26.755506992 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:26.910764933 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:26.911799908 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:26.957051992 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:27.169714928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:27.300590992 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:27.307029009 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:27.313029051 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:27.644870043 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:27.649789095 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:27.710490942 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:27.816873074 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:27.905689001 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:28.020001888 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:28.293140888 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:28.298945904 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:28.392604113 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:28.398562908 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:28.550052881 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:28.684817076 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:28.688244104 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:29.731064081 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:29.736040115 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:29.986962080 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:30.223098993 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:32.291569948 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:32.296439886 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:32.549262047 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:32.723253965 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:33.032949924 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:33.037856102 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:33.289378881 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:33.410599947 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:35.310018063 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:35.314970970 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:35.566248894 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:35.613743067 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:36.297080040 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:36.302102089 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:36.303777933 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:36.309243917 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:36.473437071 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:36.478322029 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:36.553865910 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:36.655663013 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:36.688785076 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:36.816916943 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:36.823671103 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:37.020040989 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:37.603971958 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:37.609172106 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:37.860409975 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:37.870846033 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:37.876405954 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:38.127811909 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:38.315634966 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:38.427701950 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:38.432527065 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:38.684710026 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:38.910641909 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:39.735455990 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:39.740504980 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:39.991935015 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:40.156629086 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:40.455478907 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:40.460346937 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:40.711570024 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:40.910671949 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:41.036952972 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:41.041836977 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:41.136003017 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:41.140996933 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:41.141067982 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:41.145864964 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:41.293375969 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:41.428236008 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:41.429068089 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:41.998054028 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:42.002953053 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:42.260946989 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:42.285851955 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:42.291114092 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:42.542903900 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:42.613779068 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:43.248096943 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:43.252988100 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:43.259083986 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:43.264075994 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:43.504184961 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:43.613833904 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:43.638864994 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:43.723165035 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:44.368381023 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:44.373565912 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:45.164720058 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:45.299738884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:45.299825907 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:45.429406881 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:45.434499025 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:45.693135023 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:45.816935062 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:46.962445974 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:46.967493057 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.015913963 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:47.021019936 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.209744930 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:47.216090918 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.223680019 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.310488939 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:47.357115030 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.357171059 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:47.357342958 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.362165928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.414669037 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:47.491864920 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.614417076 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.614487886 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:47.626914978 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:47.723303080 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:47.989089012 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:47.995564938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:48.247327089 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:48.316926956 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:48.610567093 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:48.615564108 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:48.866755009 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:48.910689116 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:49.161134005 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:49.166850090 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:49.418092966 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:49.520045042 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:50.265819073 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:50.270814896 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:50.416395903 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:50.421377897 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:50.571039915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:50.705902100 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:50.708334923 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:51.023897886 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:51.028871059 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:51.144275904 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:51.149426937 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:51.305052042 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:51.439721107 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:51.439774036 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:52.185220003 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:52.190202951 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:52.281097889 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:52.286350965 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:52.474405050 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:52.520157099 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:52.608985901 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:52.723270893 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:54.966391087 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:54.971363068 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:55.223926067 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:55.410712004 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:55.722817898 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:55.727711916 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:55.980670929 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:56.223227978 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:56.337872028 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:56.519236088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:56.776012897 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:56.910717964 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:57.324492931 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:57.329493999 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:58.312016964 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:58.317003012 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:58.327048063 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:58.520138025 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:58.632144928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:58.723294020 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:59.131155968 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:23:59.177145958 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:59.388075113 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:23:59.613866091 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:00.017919064 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:00.023022890 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:00.274246931 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:00.410720110 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.030823946 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.035814047 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.230787039 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.236330032 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.249432087 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.254427910 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.267056942 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.272011995 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.287260056 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.329567909 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.377316952 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.444410086 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.449412107 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.505167007 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.522862911 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.522985935 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.585506916 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.639820099 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.639911890 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:01.720386982 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:01.817018986 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:04.236246109 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:04.241419077 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:04.303756952 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:04.308815002 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:04.510675907 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:04.645386934 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:04.645502090 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:06.721659899 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:06.726804972 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:06.977983952 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:07.020138025 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:07.377571106 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:07.382637024 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:07.634093046 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:07.709125996 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:07.765736103 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:07.770705938 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:07.860507011 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:07.865564108 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:08.022090912 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:08.113892078 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:08.156908989 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:08.223336935 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:09.104640007 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:09.109649897 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:09.199172020 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:09.204188108 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:09.363549948 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:09.497684956 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:09.497819901 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:09.656100035 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:09.662477970 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:09.912424088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:09.929166079 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:09.934288979 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:10.017762899 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:10.022770882 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:10.196429014 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:10.331125021 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:10.331265926 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:10.347379923 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:10.352346897 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:10.603204966 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:10.723332882 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.078522921 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.083619118 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.154696941 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.160037994 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.274861097 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.280452967 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.334978104 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.363971949 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.370096922 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.370157957 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.375436068 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.474652052 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.520170927 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.604506016 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.625591040 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.625674009 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.760539055 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.888250113 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.897032022 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.902031898 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:11.944077015 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:11.949595928 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:12.014467001 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:12.019525051 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:12.166158915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:12.224261999 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:12.270313025 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:12.299479008 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:12.300134897 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:13.148180962 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:13.153203964 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:13.406656981 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:13.520178080 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:13.769608974 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:13.769726992 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:14.037050962 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:14.042134047 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:14.293956995 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:14.410790920 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:14.867964983 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:14.926584005 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:15.053364992 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:15.058768034 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:15.097086906 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:15.102032900 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:15.311521053 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:15.446284056 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:15.446366072 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:16.034073114 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:16.038913965 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:16.307056904 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:16.520143986 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:16.523904085 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:16.528882980 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:16.782124996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:16.910792112 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.122108936 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.127202034 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.154623985 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.159560919 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.317287922 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.322432041 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.379738092 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.394275904 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.399254084 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.465539932 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.470758915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.704993963 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.705478907 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.705526114 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.721236944 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.833421946 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:17.833652020 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.924889088 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:17.985272884 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:18.181396961 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:18.223298073 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:19.181665897 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:19.186728001 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:19.299139023 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:19.304199934 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:19.458636999 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:19.520174980 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:19.593240976 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:19.723301888 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:19.906653881 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:19.914150000 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:19.918291092 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:19.923302889 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:19.926203966 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:19.931233883 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:19.995881081 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:20.000873089 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:20.166544914 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:20.182699919 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:20.183079004 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:20.251760960 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:20.301137924 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:20.301276922 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:21.081403017 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:21.086941004 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:21.286360025 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:21.291376114 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:21.303988934 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:21.308960915 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:21.338218927 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:21.410815954 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:21.560188055 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:21.694966078 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:21.695061922 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:21.981112003 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:22.029155016 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:22.237497091 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:22.368277073 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:23.241789103 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:23.246948004 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:23.304851055 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:23.309880972 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:23.498845100 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:23.633299112 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:23.633439064 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:23.882621050 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:23.888072014 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:24.140809059 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:24.223337889 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:24.973608971 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:24.978632927 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:25.234436035 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:25.286395073 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:26.712018013 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:26.717034101 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:26.968262911 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:27.089201927 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:27.322114944 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:27.327836037 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:27.579282045 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:27.723345041 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:29.082586050 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:29.087706089 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:29.292798996 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:29.297799110 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:29.338859081 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:29.520226002 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:29.549792051 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:29.723375082 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:29.833581924 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:29.838551998 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:30.006673098 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:30.011704922 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:30.040297031 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:30.045273066 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:30.090023994 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:30.223356009 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:30.263135910 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:30.364940882 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:30.431068897 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:30.438810110 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:30.522368908 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:30.687711954 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:30.910851955 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:31.197381020 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:31.261157990 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:31.261219025 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:31.266294003 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:31.350456953 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:31.355683088 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:31.453412056 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:31.588049889 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:31.588675022 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:31.763806105 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:31.910898924 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.084228992 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.089160919 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.134812117 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.139826059 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.198148966 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.203411102 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.317430973 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.322720051 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.343030930 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.454720974 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.454837084 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.475971937 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.520596027 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.589092016 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.591623068 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.872334003 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:33.877331972 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:33.953176975 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:34.005074978 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:34.113810062 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:34.149120092 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:34.154232025 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:34.210980892 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:34.247684956 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:34.247766018 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:34.409430027 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:34.520292044 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:36.334408045 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:36.339406013 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:36.577471018 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:36.582423925 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:36.590531111 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:36.723424911 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:36.834008932 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:36.910904884 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:40.371233940 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:40.417144060 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:40.438054085 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:40.443017006 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:40.485722065 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:40.490552902 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:40.629245996 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:40.706489086 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:40.714415073 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:40.742587090 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:40.762607098 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:40.762975931 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:40.962938070 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:41.020313025 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:41.384542942 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:41.433147907 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:41.486527920 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:41.491801023 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:41.641215086 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:41.723455906 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:41.775939941 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:41.910896063 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:44.042156935 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:44.046919107 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:45.234487057 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:45.235577106 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:45.235692978 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:45.236262083 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:45.236314058 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:45.236443043 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:45.236582041 CET498644060192.168.2.7176.9.162.125
                                            Oct 31, 2024 11:24:45.244626045 CET406049864176.9.162.125192.168.2.7
                                            Oct 31, 2024 11:24:45.244714022 CET498644060192.168.2.7176.9.162.125
                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Oct 31, 2024 11:21:03.995937109 CET1.1.1.1192.168.2.70x2269No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                            Oct 31, 2024 11:21:03.995937109 CET1.1.1.1192.168.2.70x2269No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                            Oct 31, 2024 11:21:51.852411032 CET1.1.1.1192.168.2.70x4a11No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                            Oct 31, 2024 11:21:51.852411032 CET1.1.1.1192.168.2.70x4a11No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                            Click to jump to process

                                            Click to jump to process

                                            Click to dive into process behavior distribution

                                            Click to jump to process

                                            Target ID:1
                                            Start time:06:20:33
                                            Start date:31/10/2024
                                            Path:C:\Users\user\Desktop\ORDER REF_47806798 .exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\ORDER REF_47806798 .exe"
                                            Imagebase:0x26e9d6d0000
                                            File size:1'184'301 bytes
                                            MD5 hash:B1409192281B85AE112868F828087864
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1644133469.0000026E9F9DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1644133469.0000026E9F4B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:true

                                            Target ID:3
                                            Start time:06:20:33
                                            Start date:31/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:4
                                            Start time:06:20:40
                                            Start date:31/10/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                            Imagebase:0x8f0000
                                            File size:42'064 bytes
                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.3802232685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.3802232685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.3807167719.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:false

                                            Target ID:5
                                            Start time:06:20:40
                                            Start date:31/10/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            Wow64 process (32bit):
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                            Imagebase:
                                            File size:42'064 bytes
                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:false

                                            Target ID:8
                                            Start time:06:20:40
                                            Start date:31/10/2024
                                            Path:C:\Windows\System32\WerFault.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 7532 -s 1040
                                            Imagebase:0x7ff63faf0000
                                            File size:570'736 bytes
                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:10
                                            Start time:06:20:43
                                            Start date:31/10/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe'
                                            Imagebase:0xc80000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:11
                                            Start time:06:20:43
                                            Start date:31/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:14
                                            Start time:07:44:02
                                            Start date:31/10/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'installutil.exe'
                                            Imagebase:0xc80000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:15
                                            Start time:07:44:02
                                            Start date:31/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:16
                                            Start time:07:44:07
                                            Start date:31/10/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\installutil.exe'
                                            Imagebase:0x7ff75da10000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:17
                                            Start time:07:44:07
                                            Start date:31/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff75da10000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:13.3%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:25
                                              Total number of Limit Nodes:1
                                              execution_graph 12568 7ffaac304e42 12570 7ffaac304e51 12568->12570 12569 7ffaac304eb3 12570->12569 12571 7ffaac300658 VirtualProtect 12570->12571 12572 7ffaac304f41 12571->12572 12545 7ffaac304ee1 12546 7ffaac304ee9 12545->12546 12547 7ffaac304f30 12546->12547 12550 7ffaac300658 12547->12550 12549 7ffaac304f41 12551 7ffaac3052a0 12550->12551 12552 7ffaac3052c3 12551->12552 12553 7ffaac3053f2 VirtualProtect 12551->12553 12552->12549 12554 7ffaac30542b 12553->12554 12554->12549 12555 7ffaac305361 12556 7ffaac305369 VirtualProtect 12555->12556 12558 7ffaac30542b 12556->12558 12559 7ffaac300981 12560 7ffaac30098b FreeConsole 12559->12560 12562 7ffaac300a1e 12560->12562 12563 7ffaac30525a 12565 7ffaac305269 12563->12565 12564 7ffaac3052c3 12565->12564 12566 7ffaac3053f2 VirtualProtect 12565->12566 12567 7ffaac30542b 12566->12567

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 7ffaac30b060-7ffaac30f9c5 2 7ffaac30fa0f-7ffaac30fa39 0->2 3 7ffaac30f9c7-7ffaac30fa0e 0->3 6 7ffaac30fa3b-7ffaac30fa50 2->6 7 7ffaac30fa52 2->7 3->2 8 7ffaac30fa54-7ffaac30fa59 6->8 7->8 10 7ffaac30fa5f-7ffaac30fa6e 8->10 11 7ffaac30fb56-7ffaac30fb76 8->11 15 7ffaac30fa70-7ffaac30fa76 10->15 16 7ffaac30fa78-7ffaac30fa79 10->16 13 7ffaac30fbc7-7ffaac30fbd2 11->13 17 7ffaac30fbd4-7ffaac30fbe3 13->17 18 7ffaac30fb78-7ffaac30fb7e 13->18 21 7ffaac30fa7b-7ffaac30fa9e 15->21 16->21 27 7ffaac30fbe5-7ffaac30fbf7 17->27 28 7ffaac30fbf9 17->28 19 7ffaac310042-7ffaac31005a 18->19 20 7ffaac30fb84-7ffaac30fba5 call 7ffaac30b040 18->20 29 7ffaac31005c-7ffaac310097 call 7ffaac30b2e8 19->29 30 7ffaac3100a4-7ffaac3100d1 call 7ffaac3069d8 19->30 37 7ffaac30fbaa-7ffaac30fbc4 20->37 26 7ffaac30faf3-7ffaac30fafe 21->26 31 7ffaac30faa0-7ffaac30faa6 26->31 32 7ffaac30fb00-7ffaac30fb17 26->32 34 7ffaac30fbfb-7ffaac30fc00 27->34 28->34 79 7ffaac3100e1-7ffaac3100eb 29->79 80 7ffaac310099-7ffaac3100a2 29->80 75 7ffaac3100dc-7ffaac3100df 30->75 76 7ffaac3100d3-7ffaac3100db 30->76 31->19 38 7ffaac30faac-7ffaac30faf0 call 7ffaac30b040 31->38 48 7ffaac30fb46-7ffaac30fb51 call 7ffaac30b570 32->48 49 7ffaac30fb19-7ffaac30fb3f call 7ffaac30b040 32->49 35 7ffaac30fc8c-7ffaac30fca0 34->35 36 7ffaac30fc06-7ffaac30fc28 call 7ffaac30b040 34->36 39 7ffaac30fcf0-7ffaac30fcff 35->39 40 7ffaac30fca2-7ffaac30fca8 35->40 68 7ffaac30fc2a-7ffaac30fc54 36->68 69 7ffaac30fc56-7ffaac30fc57 36->69 37->13 38->26 63 7ffaac30fd0c 39->63 64 7ffaac30fd01-7ffaac30fd0a 39->64 44 7ffaac30fcaa-7ffaac30fcc5 40->44 45 7ffaac30fcc7-7ffaac30fceb 40->45 44->45 71 7ffaac30fe98-7ffaac30fef4 45->71 48->35 49->48 73 7ffaac30fd0e-7ffaac30fd13 63->73 64->73 82 7ffaac30fc59-7ffaac30fc60 68->82 69->82 119 7ffaac30ff64-7ffaac30ff78 71->119 120 7ffaac30fef6-7ffaac30ff4d call 7ffaac306910 71->120 83 7ffaac31001f-7ffaac310020 73->83 84 7ffaac30fd19-7ffaac30fd1c 73->84 75->79 76->75 85 7ffaac3100ed-7ffaac3100f5 79->85 86 7ffaac3100f6-7ffaac310107 79->86 80->30 82->35 90 7ffaac30fc62-7ffaac30fc87 call 7ffaac30b068 82->90 88 7ffaac310023 83->88 91 7ffaac30fd1e-7ffaac30fd3b call 7ffaac300258 84->91 92 7ffaac30fd64-7ffaac30fd6b 84->92 85->86 94 7ffaac310112-7ffaac31011f 86->94 95 7ffaac310109-7ffaac310111 86->95 96 7ffaac31002e-7ffaac310032 88->96 97 7ffaac310025-7ffaac31002a 88->97 113 7ffaac31000e-7ffaac31001e 90->113 91->92 118 7ffaac30fd3d-7ffaac30fd61 91->118 98 7ffaac30fe6c-7ffaac30fe8f 92->98 99 7ffaac30fd71-7ffaac30fd7d 92->99 95->94 107 7ffaac310033-7ffaac31003b 96->107 97->96 109 7ffaac30fe95-7ffaac30fe96 98->109 99->19 106 7ffaac30fd83-7ffaac30fd92 99->106 111 7ffaac30fd94-7ffaac30fda3 106->111 112 7ffaac30fda5-7ffaac30fdb2 call 7ffaac300258 106->112 107->19 109->71 123 7ffaac30fdb8-7ffaac30fdbe 111->123 112->123 118->92 124 7ffaac30ff7a-7ffaac30ffa5 call 7ffaac306910 119->124 125 7ffaac30ffc7-7ffaac30ffd3 call 7ffaac309970 119->125 152 7ffaac30ffbe-7ffaac30ffc4 120->152 153 7ffaac30ff4f-7ffaac30ff53 120->153 128 7ffaac30fdc0-7ffaac30fded 123->128 129 7ffaac30fdf3-7ffaac30fdf8 123->129 144 7ffaac30ffaa-7ffaac30ffb2 124->144 131 7ffaac30ffd4-7ffaac30ffec 125->131 128->129 129->19 133 7ffaac30fdfe-7ffaac30fe1e 129->133 131->19 136 7ffaac30ffee-7ffaac30fffe 131->136 142 7ffaac30fe20-7ffaac30fe2e 133->142 143 7ffaac30fe32-7ffaac30fe41 133->143 140 7ffaac310000-7ffaac31000b 136->140 140->113 148 7ffaac30fe44-7ffaac30fe62 call 7ffaac30bbd8 142->148 150 7ffaac30fe30-7ffaac30fe31 142->150 143->148 144->88 147 7ffaac30ffb4-7ffaac30ffb7 144->147 147->107 151 7ffaac30ffb9 147->151 158 7ffaac30fe67-7ffaac30fe6a 148->158 150->143 151->140 154 7ffaac30ffbb 151->154 152->125 153->131 156 7ffaac30ff55-7ffaac30ff5f 153->156 154->152 156->119 158->71
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0#$0#$0#$x!
                                              • API String ID: 0-2552121082
                                              • Opcode ID: 46fe725fb3c55b4f7a991e4daaf1aec1b846d384d023c59d46171f7bab6b4a57
                                              • Instruction ID: b53e821a39be9c2d191d1f75b12110dd02f14ba4550cceb579f3aba3732cc929
                                              • Opcode Fuzzy Hash: 46fe725fb3c55b4f7a991e4daaf1aec1b846d384d023c59d46171f7bab6b4a57
                                              • Instruction Fuzzy Hash: 1642D831609A498FEB98DB2CC455A79B7E1FF5A300F1441BDE48EC7292DE24EC46CB91
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1661401848.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac3e0000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13b9b141ee47e6f4351b440abca849863f8b976e1f9806d112f197afd4641b05
                                              • Instruction ID: c19595a975a596e5bd627f2225fa3d27e02fdaf25aa989f4d7c08d6e804af39c
                                              • Opcode Fuzzy Hash: 13b9b141ee47e6f4351b440abca849863f8b976e1f9806d112f197afd4641b05
                                              • Instruction Fuzzy Hash: 8EE2E87190EBC68FE756D72888559A4BFE0EF57300F1945FAD08DCB193DA28A80AC7D1

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 838 7ffaac303840 839 7ffaac306f57-7ffaac306f9f call 7ffaac306e70 838->839 845 7ffaac306fa1-7ffaac306fb1 839->845 847 7ffaac306fd4-7ffaac306fe3 845->847 848 7ffaac306fe5-7ffaac306fff call 7ffaac306e70 call 7ffaac306ec0 847->848 849 7ffaac306fb3-7ffaac306fc9 call 7ffaac306e70 call 7ffaac306ec0 847->849 858 7ffaac307000-7ffaac307028 849->858 859 7ffaac306fcb-7ffaac306fd2 849->859 862 7ffaac30702e-7ffaac307050 858->862 863 7ffaac30702a 858->863 859->847 865 7ffaac307052-7ffaac307057 call 7ffaac306618 862->865 866 7ffaac30705c-7ffaac307093 862->866 863->862 865->866 869 7ffaac307099-7ffaac3070a4 866->869 870 7ffaac30728f-7ffaac3072f9 866->870 871 7ffaac307118-7ffaac30711d 869->871 872 7ffaac3070a6-7ffaac3070b4 869->872 897 7ffaac307316-7ffaac307340 870->897 898 7ffaac3072fb-7ffaac307301 870->898 874 7ffaac307190-7ffaac30719a 871->874 875 7ffaac30711f-7ffaac30712b 871->875 872->870 876 7ffaac3070ba-7ffaac3070c9 872->876 881 7ffaac3071bc-7ffaac3071c4 874->881 882 7ffaac30719c-7ffaac3071a9 call 7ffaac306638 874->882 875->870 880 7ffaac307131-7ffaac307144 875->880 877 7ffaac3070fd-7ffaac307108 876->877 878 7ffaac3070cb-7ffaac3070fb 876->878 877->870 884 7ffaac30710e-7ffaac307116 877->884 878->877 887 7ffaac307149-7ffaac30714c 878->887 885 7ffaac3071c7-7ffaac3071d2 880->885 881->885 899 7ffaac3071ae-7ffaac3071ba 882->899 884->871 884->872 885->870 888 7ffaac3071d8-7ffaac3071e8 885->888 890 7ffaac307162-7ffaac30716a 887->890 891 7ffaac30714e-7ffaac30715e 887->891 888->870 892 7ffaac3071ee-7ffaac3071fb 888->892 890->870 895 7ffaac307170-7ffaac30718f 890->895 891->890 892->870 896 7ffaac307201-7ffaac307221 892->896 896->870 907 7ffaac307223-7ffaac307232 896->907 901 7ffaac307303-7ffaac307314 898->901 902 7ffaac307341-7ffaac307395 898->902 899->881 901->897 901->898 914 7ffaac3073a9-7ffaac3073e1 902->914 915 7ffaac307397-7ffaac3073a7 902->915 910 7ffaac307234-7ffaac30723f 907->910 911 7ffaac30727d-7ffaac30728e 907->911 910->911 916 7ffaac307241-7ffaac307278 call 7ffaac306638 910->916 920 7ffaac307438-7ffaac30743f 914->920 921 7ffaac3073e3-7ffaac3073e9 914->921 915->914 915->915 916->911 925 7ffaac307482-7ffaac3074ab 920->925 926 7ffaac307441-7ffaac307442 920->926 921->920 923 7ffaac3073eb-7ffaac3073ec 921->923 927 7ffaac3073ef-7ffaac3073f2 923->927 928 7ffaac307445-7ffaac307448 926->928 930 7ffaac3073f8-7ffaac307405 927->930 931 7ffaac3074ac-7ffaac3074c1 927->931 928->931 932 7ffaac30744a-7ffaac30745b 928->932 933 7ffaac307407-7ffaac30742e 930->933 934 7ffaac307431-7ffaac307436 930->934 941 7ffaac3074c3-7ffaac3074ca 931->941 942 7ffaac3074cb-7ffaac307525 931->942 935 7ffaac307479-7ffaac307480 932->935 936 7ffaac30745d-7ffaac307463 932->936 933->934 934->920 934->927 935->925 935->928 936->931 940 7ffaac307465-7ffaac307475 936->940 940->935 941->942
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: d
                                              • API String ID: 0-2564639436
                                              • Opcode ID: b8e9ea4c1d458403b04eb4cb9386c977eaa7b2f3361e02c1c12b496fda57d678
                                              • Instruction ID: 1bd4536e4183216d362e193ed4f46946694b28de81df47ae71fb14548bec80a1
                                              • Opcode Fuzzy Hash: b8e9ea4c1d458403b04eb4cb9386c977eaa7b2f3361e02c1c12b496fda57d678
                                              • Instruction Fuzzy Hash: B522567291DE4A9FE788DB2894819B1B7E0EF57310B1482BED48EC7197DE24E84787D0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 25b159021028af52693a0ab4c429239f000ac4e6ed5df24192338a5798ef8ab0
                                              • Instruction ID: 133c891c3799780a291bbeab90b47ee305893aa2d0b3fb1b79cb10a6e4bdbc70
                                              • Opcode Fuzzy Hash: 25b159021028af52693a0ab4c429239f000ac4e6ed5df24192338a5798ef8ab0
                                              • Instruction Fuzzy Hash: 91C26A3161DB4A8FE759DB2884418B5B7E1FF86301B04857ED48EC72A6DE34E84AC7D1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9a6bc1488afe140ccc00861b9b16d64587ecb7e3903779ba0fbe764d94c1dfba
                                              • Instruction ID: 813ff0742a9acf8110f81c5c5861e8ec2f1da6310ab1d8965bf193ea52ad2864
                                              • Opcode Fuzzy Hash: 9a6bc1488afe140ccc00861b9b16d64587ecb7e3903779ba0fbe764d94c1dfba
                                              • Instruction Fuzzy Hash: 9B82383161DF468FE359DB28D4908A1B7E1FF86301B1485BED4DEC72A6DA38E849C790
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef5559c4081a66970a7ac483f54f4cc10e3cab9818df59e7d2d5aa5e01a06141
                                              • Instruction ID: 7f84d5e86c22785326da38536e27c263c79606c0dbc19158d74304ebd1a9b89b
                                              • Opcode Fuzzy Hash: ef5559c4081a66970a7ac483f54f4cc10e3cab9818df59e7d2d5aa5e01a06141
                                              • Instruction Fuzzy Hash: 6AF1285290EE869FF796677858659B9BFD0EF47210B0881FAD08EC71D3DD18D80A83E1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbdfcfbfce42f9605fcce05d68823d07007afda873c53d0a39f6f053ea7599a0
                                              • Instruction ID: 5c0e7909b479aa406e601a30836a4067adfb6d47db80d943dd4122130c52dce8
                                              • Opcode Fuzzy Hash: bbdfcfbfce42f9605fcce05d68823d07007afda873c53d0a39f6f053ea7599a0
                                              • Instruction Fuzzy Hash: 66E15A3260DF468FF359CB289491572BBD2FF91301B1486BED4DAC72A1D928E84AC7D1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af09e810e289c55bdce438677ed9779c5553242a8afb9bd48a377c4320f0fe20
                                              • Instruction ID: 74a28e4a4eb182169ca75db03b2691fa750f031cc26f97cf6fff0bf0c2ccb7e1
                                              • Opcode Fuzzy Hash: af09e810e289c55bdce438677ed9779c5553242a8afb9bd48a377c4320f0fe20
                                              • Instruction Fuzzy Hash: CD417D3160D7894FE71E9B3888665B57B95EB97320B05C2BFC187C75A3DD24980783D2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86c2d3905d4f8b1fd01f363391493b4d296cf7df1b87246db09afaaf1dc14043
                                              • Instruction ID: a6971f6f60f2e95dd7aeb5d8c4cff8935e896cd91563a2d3a22c68349597ca76
                                              • Opcode Fuzzy Hash: 86c2d3905d4f8b1fd01f363391493b4d296cf7df1b87246db09afaaf1dc14043
                                              • Instruction Fuzzy Hash: 8F415C3150D6895FD71E9B3888625B57B95EB93310B05C2BFD487C7593DD28980783E2

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1340 7ffaac300658-7ffaac3052c1 1342 7ffaac3052f9-7ffaac305331 1340->1342 1343 7ffaac3052c3-7ffaac3052ef 1340->1343 1346 7ffaac305369-7ffaac305429 VirtualProtect 1342->1346 1347 7ffaac305333-7ffaac30535f 1342->1347 1354 7ffaac305431-7ffaac305462 1346->1354 1355 7ffaac30542b 1346->1355 1355->1354
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7e69d8cd20898d71a69e1cffdf21c7d14dceb0e31cc130a17ec52550f1eef57
                                              • Instruction ID: b6e9175da5dc10a35a05f5a0b413ac8f3820f3c529cb0c4fbf22ce1ecfc204a7
                                              • Opcode Fuzzy Hash: d7e69d8cd20898d71a69e1cffdf21c7d14dceb0e31cc130a17ec52550f1eef57
                                              • Instruction Fuzzy Hash: 57515C3190DB884FD718E778985B5FDBFE0EF56210F0445EED089C7293C964684683D2

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1357 7ffaac305361-7ffaac305429 VirtualProtect 1362 7ffaac305431-7ffaac305462 1357->1362 1363 7ffaac30542b 1357->1363 1363->1362
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: dd189c7e4576bb4f8c431d8e8e550a7a5be97a3386ac4e3f1d5d3ddfca5da023
                                              • Instruction ID: 1eb2e454c98eda6caea090ce019129d76d987af4c1c4251d8845096aa9d121a3
                                              • Opcode Fuzzy Hash: dd189c7e4576bb4f8c431d8e8e550a7a5be97a3386ac4e3f1d5d3ddfca5da023
                                              • Instruction Fuzzy Hash: 4C31F67190CB488FDB18DB68980A6FD7BE1EF95321F00426FE04AC3252DB74A80687C5

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1365 7ffaac300981-7ffaac300989 1366 7ffaac300991 1365->1366 1367 7ffaac30098b 1365->1367 1368 7ffaac300994-7ffaac300a1c FreeConsole 1366->1368 1369 7ffaac300993 1366->1369 1367->1366 1372 7ffaac300a24-7ffaac300a4b 1368->1372 1373 7ffaac300a1e 1368->1373 1369->1368 1373->1372
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1660208012.00007FFAAC300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac300000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID: ConsoleFree
                                              • String ID:
                                              • API String ID: 771614528-0
                                              • Opcode ID: 706485ee76fb466d068db7ec3e2267a6d041cdd689293d17e96fe9bf47c3bebc
                                              • Instruction ID: b6a26f78666e4fd03238fc6caa156f25b1694d9d8e3e415376b5c406e61fd690
                                              • Opcode Fuzzy Hash: 706485ee76fb466d068db7ec3e2267a6d041cdd689293d17e96fe9bf47c3bebc
                                              • Instruction Fuzzy Hash: 2221A57190CB4C8FEB54DB68D445AFABBE0EB56321F00416ED08AC3552D664A44ACB51
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1661401848.00007FFAAC3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffaac3e0000_ORDER REF_47806798 .jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7982ead7996e02cc67834ab86eae19099841e3f6728f570ebdd4bfc4a05fb21b
                                              • Instruction ID: cd472f7d777f0babbabc6ec54b3e6332c99ef552e8bfa62a2291f8f2966bf6b1
                                              • Opcode Fuzzy Hash: 7982ead7996e02cc67834ab86eae19099841e3f6728f570ebdd4bfc4a05fb21b
                                              • Instruction Fuzzy Hash: 4841043590DF898FEB46DB24C8958A8BFF0FF56300B1941AAD44EC7193DA29E849C3D1

                                              Execution Graph

                                              Execution Coverage:7.6%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:16
                                              Total number of Limit Nodes:1
                                              execution_graph 15283 119b1c8 15284 119b20e 15283->15284 15288 119b3a8 15284->15288 15291 119b397 15284->15291 15285 119b2fb 15289 119b3d6 15288->15289 15296 119af3c 15288->15296 15289->15285 15292 119b371 15291->15292 15293 119b3a6 15291->15293 15292->15285 15294 119af3c DuplicateHandle 15293->15294 15295 119b3d6 15294->15295 15295->15285 15297 119b410 DuplicateHandle 15296->15297 15298 119b4a6 15297->15298 15298->15289 15299 1196140 15300 1196184 SetWindowsHookExW 15299->15300 15302 11961ca 15300->15302

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1100 119af3c-119b4a4 DuplicateHandle 1102 119b4ad-119b4ca 1100->1102 1103 119b4a6-119b4ac 1100->1103 1103->1102
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0119B3D6,?,?,?,?,?), ref: 0119B497
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3806080498.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1190000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 9046c3a58360e182f806d83edcbd6eefe9b0be1abfb8c2b2c8fc3aa3362f232b
                                              • Instruction ID: d70fd5b0866f44d089ee05e98c71f08d3d26ca991e522db2f7602a104cc39261
                                              • Opcode Fuzzy Hash: 9046c3a58360e182f806d83edcbd6eefe9b0be1abfb8c2b2c8fc3aa3362f232b
                                              • Instruction Fuzzy Hash: B821E3B5D043089FDB10CFAAD984AEEBBF4FB48320F14842AE915A3350D775A954CFA5

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1106 119b408-119b40b 1107 119b410-119b4a4 DuplicateHandle 1106->1107 1108 119b4ad-119b4ca 1107->1108 1109 119b4a6-119b4ac 1107->1109 1109->1108
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0119B3D6,?,?,?,?,?), ref: 0119B497
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3806080498.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1190000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 9405a6330324df7f70e4bedfb623199df818de6ada7887adde92ea53ce284585
                                              • Instruction ID: b984971d324e3741bb38804d06a873fbdf6874b2586d928b118314c85fa88740
                                              • Opcode Fuzzy Hash: 9405a6330324df7f70e4bedfb623199df818de6ada7887adde92ea53ce284585
                                              • Instruction Fuzzy Hash: 0221E3B5D00249AFDB10CFAAD984ADEBBF8FB48320F14841AE914A3350D778A944CF65

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1112 1196138-119618a 1114 119618c 1112->1114 1115 1196196-11961c8 SetWindowsHookExW 1112->1115 1118 1196194 1114->1118 1116 11961ca-11961d0 1115->1116 1117 11961d1-11961f6 1115->1117 1116->1117 1118->1115
                                              APIs
                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 011961BB
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3806080498.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1190000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: 375bd28b6c97f439df209cb07a7669d60a812557ddb9de93477fc0e65fda65ed
                                              • Instruction ID: e6af04f9326d1015b6047fd8a565915295ee53656347da5235af350bea08f1f1
                                              • Opcode Fuzzy Hash: 375bd28b6c97f439df209cb07a7669d60a812557ddb9de93477fc0e65fda65ed
                                              • Instruction Fuzzy Hash: 732107B5D002098FDB14DFA9C945BEEBBF5EF88310F10842AD865A7250CB74A945CFA0

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1122 1196140-119618a 1124 119618c 1122->1124 1125 1196196-11961c8 SetWindowsHookExW 1122->1125 1128 1196194 1124->1128 1126 11961ca-11961d0 1125->1126 1127 11961d1-11961f6 1125->1127 1126->1127 1128->1125
                                              APIs
                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 011961BB
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3806080498.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_1190000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: baae997d7451bcc62508345edb3376cc4dcf8459b89f4e52cb81566db5b69464
                                              • Instruction ID: 2a9416c22ebbdfd011b6360ac386e6f503bf64dfb3e5084eaf0d068c06d30a8d
                                              • Opcode Fuzzy Hash: baae997d7451bcc62508345edb3376cc4dcf8459b89f4e52cb81566db5b69464
                                              • Instruction Fuzzy Hash: 7621F7B5D002099FDB14DFAAD944BEEFBF5FB88310F10842AD429A7250CB75A945CFA1
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3805317491.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_10bd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ad851f07ef63b4eb1e4171c7b55b0f644119c9d401d0095f49d7f35503049f5
                                              • Instruction ID: dbf2c4d57d4d3765d1fcd086b6b559de43f8a10fefa86760a91f095879773669
                                              • Opcode Fuzzy Hash: 3ad851f07ef63b4eb1e4171c7b55b0f644119c9d401d0095f49d7f35503049f5
                                              • Instruction Fuzzy Hash: F4213671504200DFDB15DF54D9C0B96FBA5FB94328F20C5A9E8490E256C73AE456CBA2
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3805594818.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_10cd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 50b8b99cfe68de8264d3f5244796f6eda5c6ad9a7f719798c8e731cf4deff199
                                              • Instruction ID: 6032634bb2c00e9b1925b1dad6eb711846ece57324ab59ca31cc12244c5e1d14
                                              • Opcode Fuzzy Hash: 50b8b99cfe68de8264d3f5244796f6eda5c6ad9a7f719798c8e731cf4deff199
                                              • Instruction Fuzzy Hash: EB21F275604204AFDB05DF54D9C4B2ABBA5EBC8724F20C5BDDC894B296C336D846CFA1
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3805594818.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_10cd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d3fa5173c8d7a58ad74896b54691a1406da48f7f88fe5d95f69b78caf89eb870
                                              • Instruction ID: 50e400cf692ffb061c7ec91a102df9662ee63625dde156037d44a0d521bea993
                                              • Opcode Fuzzy Hash: d3fa5173c8d7a58ad74896b54691a1406da48f7f88fe5d95f69b78caf89eb870
                                              • Instruction Fuzzy Hash: 6121B071604300DFDB25DF68D984B1ABBA5EB84654F30C6BDE9894B352C236D847CBA2
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3805594818.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_10cd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2587b3522f8a48cdae5a2167abde41203deb482e7825b8dacf48d17777893e3a
                                              • Instruction ID: bca1f3abafac763656ffea9b573f37ccde31a0e5078908faba26760a56e1f92c
                                              • Opcode Fuzzy Hash: 2587b3522f8a48cdae5a2167abde41203deb482e7825b8dacf48d17777893e3a
                                              • Instruction Fuzzy Hash: 3B21A7755083809FC713CF18D584715BFB1EB45314F24C5EED8858B2A3C33A9846CBA2
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3805317491.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_10bd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                              • Instruction ID: c4982c05f36d034dd0d92f36b26ee8886780003758872b45789d0bd5e1007b2a
                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                              • Instruction Fuzzy Hash: AC11DF76504280CFCB16CF44D5C0B96FFA2FB84328F24C5A9D8490B657C33AD45ACBA1
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3805594818.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_10cd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                              • Instruction ID: 6da2df5e9166997689d606567b1c447b66d943b5895444d6c18a8b461430bacb
                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                              • Instruction Fuzzy Hash: EA11BE75504280DFDB06CF54D9C4B19BBA2FB84724F24C6ADDC494B256C33AD44ACF91
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6b1301305b9190e676a3a28ab5dbf9e066e3a8781e54310eab75c7332578986
                                              • Instruction ID: 74ec1ae860a0f253abe03409265464acc831b0bed4cebd0ccf8c9de0eeab4f8a
                                              • Opcode Fuzzy Hash: c6b1301305b9190e676a3a28ab5dbf9e066e3a8781e54310eab75c7332578986
                                              • Instruction Fuzzy Hash: 0C915C74B007189BDB19EFB894106AFBBF2EFC4700B008A2DD556AB354DF749E068B95
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 22700953bf6bb14efe3b8e99347b06c478cc7dcb364dece432b17cbcafc1c1b4
                                              • Instruction ID: ea11169718f491798a259cf755be5f409f031ebed45042f0b0ecd64517dc0df1
                                              • Opcode Fuzzy Hash: 22700953bf6bb14efe3b8e99347b06c478cc7dcb364dece432b17cbcafc1c1b4
                                              • Instruction Fuzzy Hash: C7914C74B007185BDB19EFB898106AFBAE2EFC4700B008A29E516AB354DF749E058BD5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$pi5k$pi5k$pi5k$pi5k$pi5k$|,7k$Jnl$Jnl$Jnl$Jnl$Jnl$Jnl$rml$rml
                                              • API String ID: 0-2153264186
                                              • Opcode ID: d7d55fa79e67dbcdd5c061a5f5c5e099ad88b31bcdd721b48684818e62021d3d
                                              • Instruction ID: 0875f5d988e0073d2d2891efb22cd81bf14cda1afb1fc4b697cd07b9c473d270
                                              • Opcode Fuzzy Hash: d7d55fa79e67dbcdd5c061a5f5c5e099ad88b31bcdd721b48684818e62021d3d
                                              • Instruction Fuzzy Hash: 442204B1B00286DFDB259F69884176AFBF1BF89321F14806AD845CB291EB31EC45C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$4'q$4'q
                                              • API String ID: 0-4210068417
                                              • Opcode ID: 100524b071a089a58cfbb5647e6205203fe783ccb3b2ad9503bdd898f7cfdd76
                                              • Instruction ID: f6f40fa9c3b78cfe4541cd6300088d903ae5018fdcdce3b871fd876a379cf2b1
                                              • Opcode Fuzzy Hash: 100524b071a089a58cfbb5647e6205203fe783ccb3b2ad9503bdd898f7cfdd76
                                              • Instruction Fuzzy Hash: 291268B1B043958FDB269B68981176BFBE2AFC1211F14807AD945DB391EB31DC42C7A2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (q
                                              • API String ID: 0-2414175341
                                              • Opcode ID: 866cc88529e40c7d9382eb95c8c618a843a0350a7412e86bd6636b84eba01939
                                              • Instruction ID: bca11921921762e958ad161e459c68d166c0fff38f45342b9f5cee2154d8ae85
                                              • Opcode Fuzzy Hash: 866cc88529e40c7d9382eb95c8c618a843a0350a7412e86bd6636b84eba01939
                                              • Instruction Fuzzy Hash: DA416E35B042058FDB14DB65C568AAEBBF1EF8D715F1840A8E846EB391CB35DC02CB61
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (&q
                                              • API String ID: 0-583763264
                                              • Opcode ID: c909d5791df8891030f10b37d528dbb06681eb20ebd0bb8aa021ca48df56e3d3
                                              • Instruction ID: 82eab16f5d24faf112a90d30fcd5d5dc157e426a2a2f9f840a5781ed2a07e944
                                              • Opcode Fuzzy Hash: c909d5791df8891030f10b37d528dbb06681eb20ebd0bb8aa021ca48df56e3d3
                                              • Instruction Fuzzy Hash: 8F21E075E043088FCB25DFAAE400B9EBFF5EF88220F14846EE418E7350CA7499058BA5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4fde22c924be29d947a10b1c7c7bf4e95be14eedfa7c6ebdf72a2d1a0e87a8ce
                                              • Instruction ID: 7f1155357ad6a0498440c8728edd3dc5c258582f2e1e49b15727911dcde008e2
                                              • Opcode Fuzzy Hash: 4fde22c924be29d947a10b1c7c7bf4e95be14eedfa7c6ebdf72a2d1a0e87a8ce
                                              • Instruction Fuzzy Hash: D4916F74A002058FCB15CF58C5A4AAEFBB1FF49310F2486A9E855AB365C736EC51CB90
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c86d1b8df2a29f4554425e06a559359fe2943c8a36c02df1ba531750cdc3e6cc
                                              • Instruction ID: 4bffd8472a14e9aa3021c61525b01bcc5285c3b324729be9a52eafac52e1f544
                                              • Opcode Fuzzy Hash: c86d1b8df2a29f4554425e06a559359fe2943c8a36c02df1ba531750cdc3e6cc
                                              • Instruction Fuzzy Hash: 1C610575E012089FDB15DFA9D584B9DFBF2FF89310F18812AE809AB364DB709846CB54
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21aa751d799fd7b5bf4e946e5064c8f604a7f622e33b3933ae57826d4c3fd1d4
                                              • Instruction ID: dd2cd2f9ee593acf6b9e9119b0ca1dd3f40c2e0b71a0b00a327cfbe4e3dffe9c
                                              • Opcode Fuzzy Hash: 21aa751d799fd7b5bf4e946e5064c8f604a7f622e33b3933ae57826d4c3fd1d4
                                              • Instruction Fuzzy Hash: 5651A0357002059FD714DB79E954A2A77EAFFC8215F1885B9E809DB351DB35EC02CBA0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 757bffc7c94c4c37980d45d71717e4edda76fa45e86f0df2afb39b33974a0fa8
                                              • Instruction ID: 74f051f83d124876a9cf96fb994460e563f3d546f5c408ca10781fd1ff773666
                                              • Opcode Fuzzy Hash: 757bffc7c94c4c37980d45d71717e4edda76fa45e86f0df2afb39b33974a0fa8
                                              • Instruction Fuzzy Hash: 97511575E013489FDB15DFA9D584A9DFBF2FF88310F18802AE809AB365DB309846CB54
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d28f8fc506deb0bf3edc7827b81153c371c50bf41bacd46df9d2092c77bcc119
                                              • Instruction ID: e2f3f403e8a3a5972dfa33094981ed86cb0da438cb9ef037f0c7c99bbe2e7daf
                                              • Opcode Fuzzy Hash: d28f8fc506deb0bf3edc7827b81153c371c50bf41bacd46df9d2092c77bcc119
                                              • Instruction Fuzzy Hash: BA415C74A002059FCB15CF58C5A8AAAFBB1FF49310F1585A9E815AB365C736FC91CBA0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5cb1a2ad78b4c6a6b31876249d36afb15eb7c20f2ea778a147b0f9fa095f3e0
                                              • Instruction ID: 61793c9904424cb6fe05a41aef33a77af06bee01ffaa3469ab47188a8f926252
                                              • Opcode Fuzzy Hash: b5cb1a2ad78b4c6a6b31876249d36afb15eb7c20f2ea778a147b0f9fa095f3e0
                                              • Instruction Fuzzy Hash: 263105F1A10242DFDB258F24C551E7AFBE3AF84250F598169E9009F391E731EC40EBA6
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa3b2d9646fc9acd086879f9424313c7aa9d57e8c70f5dfe59f844b428429391
                                              • Instruction ID: eb3da1ae9ec04a224e756ab5bc6af5858d92040f09dc1e2928c63cba155967ec
                                              • Opcode Fuzzy Hash: aa3b2d9646fc9acd086879f9424313c7aa9d57e8c70f5dfe59f844b428429391
                                              • Instruction Fuzzy Hash: B5314F353017019FD715EB78E854B9EBBA6EFC4215F048639E509CB361DF71A806CBA1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2ec4be66acddcd8f8ab4337c3119a46c239a42ca41f48cdf839cf66024d6c51
                                              • Instruction ID: 876751666ee88ea14a3e24c3eaf9825f36421ca2d791279442dd66b5773e1dce
                                              • Opcode Fuzzy Hash: d2ec4be66acddcd8f8ab4337c3119a46c239a42ca41f48cdf839cf66024d6c51
                                              • Instruction Fuzzy Hash: D5313B75B002058FDB14DF69C598AAEBBF1AF8D715F1840A8E846EB391CB31DC02CB60
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e30a1cd56711665141048f5a5d71e310b05b6e3b32810b20509e1916f7817a8
                                              • Instruction ID: 731e08602214dea85da2f3f19c1d61255adb4c1bd5e29af097251ff001ad097a
                                              • Opcode Fuzzy Hash: 7e30a1cd56711665141048f5a5d71e310b05b6e3b32810b20509e1916f7817a8
                                              • Instruction Fuzzy Hash: 45314174E012099FDB1ADFA9D594BAEBBF6AF88300F14816DE905EB351DB3488018B54
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d5fa2eee31cd32a935d35a66d5eec62be362eab3d2239dd91154c7ba903b791e
                                              • Instruction ID: 1a6676576b500fcccc6810f1d7a9d22e0743c87192a297f7e08c5087a42615fd
                                              • Opcode Fuzzy Hash: d5fa2eee31cd32a935d35a66d5eec62be362eab3d2239dd91154c7ba903b791e
                                              • Instruction Fuzzy Hash: 0A314C74E016099FDB1ADFA9D594BAEBBF6EF88300F148139E905EB350EB348C018B54
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2d373011cdd554c623dcf5d813a4c77ca449235252c518546daa4fde788ac08
                                              • Instruction ID: 6cd259e315c6e2268fde9b4bf0e7a93c40eefcc3228efd42704f27a157345bab
                                              • Opcode Fuzzy Hash: d2d373011cdd554c623dcf5d813a4c77ca449235252c518546daa4fde788ac08
                                              • Instruction Fuzzy Hash: FF316B34A016048FCB14EFA8D458A9EBBF2FF88224F04446DE802EB3A5DB719C45CB54
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b0b70228e2873f0275e045453c204a0e107098df33d1d79b8ebb15c9bea7831
                                              • Instruction ID: fe04dcdffd0541087e896f460e25cec75dc1a177985ad5617c2b709e7b4a815e
                                              • Opcode Fuzzy Hash: 5b0b70228e2873f0275e045453c204a0e107098df33d1d79b8ebb15c9bea7831
                                              • Instruction Fuzzy Hash: 88316FB8E402099FDB01DBA8E858AAE7BB2EFC5300F148479D511AF3A5CA389D458B50
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a7deba713db861d8c3c9830cfa615e113ab592d3901d6d424f2fb3aa9c155f94
                                              • Instruction ID: 4aa48b0eb0be1359592bc7b4a33b495608c24416e98b6356853761b07108318b
                                              • Opcode Fuzzy Hash: a7deba713db861d8c3c9830cfa615e113ab592d3901d6d424f2fb3aa9c155f94
                                              • Instruction Fuzzy Hash: 3D314C74A012058FDB14EF69D458A9EBBF2FF88224F144469E806EB3A4DF71AC45CB94
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f6449ce6e9b13f4245ccc4b59a7e320c24b944755461d9df80458f6680c71d6
                                              • Instruction ID: e7e9f1573a4cc5560d44c6f09ff920690679a0100d8871289dbf2ac8f6af0959
                                              • Opcode Fuzzy Hash: 8f6449ce6e9b13f4245ccc4b59a7e320c24b944755461d9df80458f6680c71d6
                                              • Instruction Fuzzy Hash: DF3130B8E007099FDB05EFA8E854AAE7BB2FFC5300F108479D511AF3A5DA399D018B50
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ac07b3cf6e578436875b2785b8b41debe960ae7b476ea9cc2f73df1ea49e608
                                              • Instruction ID: 8ef5c8acc9aaa44df5712810d50df991dfa2dc8b17d6f664e93617bacf6e39ad
                                              • Opcode Fuzzy Hash: 6ac07b3cf6e578436875b2785b8b41debe960ae7b476ea9cc2f73df1ea49e608
                                              • Instruction Fuzzy Hash: E021E276608700EFDB05DF18E9C0B1ABB65FB88314F24C9A9E9090E266C336D456DBA1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e110c02b559025f4aab26749ed99475f654440600fc9682e08aa855a674eba12
                                              • Instruction ID: a0d8de5d30cad9c4bfdb0ec725ca26ed35ca83fc745a732a658c868701414c90
                                              • Opcode Fuzzy Hash: e110c02b559025f4aab26749ed99475f654440600fc9682e08aa855a674eba12
                                              • Instruction Fuzzy Hash: 3C317874A05744CEDB60CF6AD18879AFFF2EB89324F28806DD84D9B316C77494468B61
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abf994fae74ac12dd3739488c894ed46b1a744ccc91d2545f020a334bfb9539d
                                              • Instruction ID: 7341701b72eba8e806aa8df7fa87452e715acc9ea2fb97df69d6b0e5d9c075dc
                                              • Opcode Fuzzy Hash: abf994fae74ac12dd3739488c894ed46b1a744ccc91d2545f020a334bfb9539d
                                              • Instruction Fuzzy Hash: FB218035705240CFCB15DB78E444AAABFF5EF8A315F1944AEE849CB322C6329C06DB10
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8c540162f02adfb4de88d4c51735a00036d7cfe0e4aea9c196bef2faaddf8d7
                                              • Instruction ID: ea8eaa9692fe23f387c77ee06e967522b477eab16fe585ee81e0306e169f9250
                                              • Opcode Fuzzy Hash: e8c540162f02adfb4de88d4c51735a00036d7cfe0e4aea9c196bef2faaddf8d7
                                              • Instruction Fuzzy Hash: 2D213775604640DFDB14DF28EDC4B1ABBA5FB84324F24C9ADD80A4B262C336D446EB61
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7cf91e9f3ce4a02c3703a5012886168561859987feafc637f41c7ea03bdd2734
                                              • Instruction ID: 0c37c7a1ec224b1fd1fad75c40f8a220025b03ec2d5a1656d5c5a4c6a0db0565
                                              • Opcode Fuzzy Hash: 7cf91e9f3ce4a02c3703a5012886168561859987feafc637f41c7ea03bdd2734
                                              • Instruction Fuzzy Hash: E6216674A05744CEDB60DF6AD18838AFBF6EF88324F28C06EE85D97305C77468818B60
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59749343998cfa1b05c4f09baab70137da327465b77810b3c1cc73054374954e
                                              • Instruction ID: f8993a492c7e42737991f2986d2817d96a154719eff628972ab6cf88fae109f3
                                              • Opcode Fuzzy Hash: 59749343998cfa1b05c4f09baab70137da327465b77810b3c1cc73054374954e
                                              • Instruction Fuzzy Hash: ED215BB16047409FD714DF18F9C4B29BBA5FB88314F24C5ADD8094B351C336D847DAA1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f1c91641d0f36c06fcf2cb2a14f819ed6b45d79f55c3d28f21bd21a9e32f220
                                              • Instruction ID: afa9868515c497407c8d4381b19c09b850e69e90bb52527b02cf539677724fee
                                              • Opcode Fuzzy Hash: 4f1c91641d0f36c06fcf2cb2a14f819ed6b45d79f55c3d28f21bd21a9e32f220
                                              • Instruction Fuzzy Hash: 18111C39B002188FCB14DBA8E940ADE77F6EBCC255B0440A4E909DB750DB31DC12CB90
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c52047a29c163600f7165d362a7e877476dbb93ec25d2751e0dc290859ed305b
                                              • Instruction ID: 41a57d38afe06ce756d9799b661af9809ad5b46402d54852964d11a5894d6dff
                                              • Opcode Fuzzy Hash: c52047a29c163600f7165d362a7e877476dbb93ec25d2751e0dc290859ed305b
                                              • Instruction Fuzzy Hash: F711BCF0A5028ADFDB20CF59C984B6AF7F1FB85321F488066D9489B211E731F944CBA1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                              • Instruction ID: 78be43906fc2a8da1ac479adde1210699f7a120639b34cd8483e3083086db43c
                                              • Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                              • Instruction Fuzzy Hash: 4A21AC76504640DFCB06CF14E9C0B16BF72FB88314F28C5A9D8494A266C33AD46ADB91
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
                                              • Instruction ID: 824cba815f33fa5b086ab3501a8241d23ce5ad5eed3cbfd4cd08655ed4c10245
                                              • Opcode Fuzzy Hash: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
                                              • Instruction Fuzzy Hash: 8F11BE79504680DFCB15CF14D9C0B19BFA1FB44328F28C6A9D84A4B666C33AD44ADB61
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb433abe34324899de536dfd24b3519b3a62870d262be0a9688f4c2165c796c2
                                              • Instruction ID: 10eb67a89a883d7836567a4bed3cd3c8570cd4305548d090fad9b7d3101df8b0
                                              • Opcode Fuzzy Hash: eb433abe34324899de536dfd24b3519b3a62870d262be0a9688f4c2165c796c2
                                              • Instruction Fuzzy Hash: EA01D6316087449FD715D779D954A6A7FF4EF46210F1848EEE48ECB7B2D620E845C701
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9166586a82980713c120ff28bf7eda989a79b0c042446dbf275705f7948bbe2f
                                              • Instruction ID: d935d4d193235975b6187173cc08d2149923f92bbdce23a39f907ec0dda183c4
                                              • Opcode Fuzzy Hash: 9166586a82980713c120ff28bf7eda989a79b0c042446dbf275705f7948bbe2f
                                              • Instruction Fuzzy Hash: B4119EB55046808FDB15DF28E9C4B19BBA1FB48314F28C6ADC8494B662C33AD44ACB92
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d3a621515c643e0a5e3c03493eb8f1007e4da7388258a43f7c4d38e7b601f5a4
                                              • Instruction ID: 85e1c1f1ec4ff8f54049e02612db3bd2da1581b62164fad016b83f5e45e35b28
                                              • Opcode Fuzzy Hash: d3a621515c643e0a5e3c03493eb8f1007e4da7388258a43f7c4d38e7b601f5a4
                                              • Instruction Fuzzy Hash: 08113935204750CFC728DF75C44089ABBF6EF8921532089ADD48A87BA0DB32F845CB50
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f068e21c7ba91876e632cb4104c60d4d95f06f7355a3552e57c55ecd6251a9d
                                              • Instruction ID: ffb284118d40ba94ad052ab691dab2ef8223fe32b748e0e913936c4a92c15636
                                              • Opcode Fuzzy Hash: 2f068e21c7ba91876e632cb4104c60d4d95f06f7355a3552e57c55ecd6251a9d
                                              • Instruction Fuzzy Hash: 54019E36B052149FCB15AFB4E808AAEBBF5FB88315F04407DE91AD3352DB329911CB91
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a38fe851fe2258b6cee72fee3acacfa1a8b35b3fec69f6db8a70c9b0ddb3f5cf
                                              • Instruction ID: 52f144e4cb9b95afb9b2ba79e624bda397ea1c7f25344be25ad1a9d72b4180a1
                                              • Opcode Fuzzy Hash: a38fe851fe2258b6cee72fee3acacfa1a8b35b3fec69f6db8a70c9b0ddb3f5cf
                                              • Instruction Fuzzy Hash: C801F731404B409EE720EA2AEC84B6EFFE8FF41625F08C459DD480B692D2799845EAB1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 68bcfd07457deb0e6fc9563c3f4619d0b368743dc5322732e805e559ba527ccf
                                              • Instruction ID: 1b4a2d7bec3c1b8af1d07d657716a4dd7767cfd140bd16c9cf1d17b42bc28c1f
                                              • Opcode Fuzzy Hash: 68bcfd07457deb0e6fc9563c3f4619d0b368743dc5322732e805e559ba527ccf
                                              • Instruction Fuzzy Hash: AD01803140E3C09FD7128B259894B5ABFB8EF43224F1D81DBD8888F6A3C2689845D772
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f060cf756a5a5d42637f03e20ac4d034b817c350a6b051bc3764a67a4720a440
                                              • Instruction ID: e7017cdd3231ee09a1e93201d8eb3e2b737b7721b0d57e8ac9ff119fc328aa40
                                              • Opcode Fuzzy Hash: f060cf756a5a5d42637f03e20ac4d034b817c350a6b051bc3764a67a4720a440
                                              • Instruction Fuzzy Hash: F8F0A4353093A05FD7118A799C549B77FE9DB8662070940AEF884C77A2C9B1CC058760
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2370632f3c720f010865751c927348408ab8b5f2a3451dbc768888d00757e9c2
                                              • Instruction ID: b3beccd1950f18d0da13158e946cda6b95714d38b60f6772178ba41f1013e0bd
                                              • Opcode Fuzzy Hash: 2370632f3c720f010865751c927348408ab8b5f2a3451dbc768888d00757e9c2
                                              • Instruction Fuzzy Hash: A1F0CD357042409FC720DB69E884EAF7BE9EB88261B00062DE54EC7350CF30AC458BA1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 558b880e4ff9da24b9307dd5e38fa989da75fbb7b286278133b154eb0f817f35
                                              • Instruction ID: a549d8563cb5112f953fac749064dc48f2cb8cadd92ea7183dfc1f5d9299e791
                                              • Opcode Fuzzy Hash: 558b880e4ff9da24b9307dd5e38fa989da75fbb7b286278133b154eb0f817f35
                                              • Instruction Fuzzy Hash: 9CF0E776604A00AFD720DF0AD985C26FBB9EFD4670719C55AE84A4B612C671EC42CAA0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df488a8fcd5f835b83358183d61be0dd6f4b8a72a4a1c3326352205e1ff0c452
                                              • Instruction ID: e889916b4c01d6326ff4c888730d71db831a4c473e078d8a1055affb00a53638
                                              • Opcode Fuzzy Hash: df488a8fcd5f835b83358183d61be0dd6f4b8a72a4a1c3326352205e1ff0c452
                                              • Instruction Fuzzy Hash: 1FF0F6397087418FD705AB28D0193ABBFB1EBC1318F1085AED4568B295CE3A5806CBA1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9c71886a744a803261ee190351eb3ff1aaf0ab17aaa56b3afa5dc2773ed04c5
                                              • Instruction ID: bb057bac2bf39632cecc31067438928cbc55218d6b2baf29aeab2abd58ff8402
                                              • Opcode Fuzzy Hash: e9c71886a744a803261ee190351eb3ff1aaf0ab17aaa56b3afa5dc2773ed04c5
                                              • Instruction Fuzzy Hash: 0EF05E357042418FC7119B2CD494CB6BBF59FCA61532D00EEE485CB372CA62CC02CB50
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96b7e363e81a7781486770716b5b93366af9bba9ccc6f924f98d4be680388b5b
                                              • Instruction ID: d3d83ecdadca41523f7f10c078eb71b434d6e81c6a376a0addbf5ac6e866dfb3
                                              • Opcode Fuzzy Hash: 96b7e363e81a7781486770716b5b93366af9bba9ccc6f924f98d4be680388b5b
                                              • Instruction Fuzzy Hash: CCF0A0357007149FC710EB6AE844A6FB7E9EBC8661B00062DF50EC7350DF30AC0587A5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1461944774.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_35ad000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3ac1ef6358a996cfee8cd313bdf90281e92aded6225302d2805ae04ba50bbc4
                                              • Instruction ID: d55658a045fd743310bc93a1d0dba854be8616ad791058172e2194a3a1dcc88c
                                              • Opcode Fuzzy Hash: e3ac1ef6358a996cfee8cd313bdf90281e92aded6225302d2805ae04ba50bbc4
                                              • Instruction Fuzzy Hash: B1F04975504A40AFD321CF06CD84D23BBB9EFC5620B198489E84A4B722C631FC02CFA0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d352fcb0462fa84ef4d6e34056f605d83ef7f0d29f2d057ed35ba3d1efd2031
                                              • Instruction ID: 1b9667bdc6c33f1bd23be5ecb371ad03456778f435f290ddbf67b74ff3148db3
                                              • Opcode Fuzzy Hash: 5d352fcb0462fa84ef4d6e34056f605d83ef7f0d29f2d057ed35ba3d1efd2031
                                              • Instruction Fuzzy Hash: E4F0BE3060A3408FD761DB78D4DC38ABFE0EF42310F0508AED48ACB282CB396888C710
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e5242bc6c2a21a2b03ba049d9e44bb3ead7fe974c5b1b0071ce9fd2215f45cae
                                              • Instruction ID: 48bd432c705ff9f0fceb5ce3eea65f8016e48c4625e7248788eb20e92d714863
                                              • Opcode Fuzzy Hash: e5242bc6c2a21a2b03ba049d9e44bb3ead7fe974c5b1b0071ce9fd2215f45cae
                                              • Instruction Fuzzy Hash: A7F082796047155BD704BB6DD01979FBBA6EBC4318F10816AD90A4B394CE3A6805C7E0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 651743d90dc902e78af237ab1fbf40a9e64da550d61f3e8bac93415a08e3f4ef
                                              • Instruction ID: 7986a14aa8511563b83b5bfe8386338c3adc0c797018ae09ed775b282f1f7963
                                              • Opcode Fuzzy Hash: 651743d90dc902e78af237ab1fbf40a9e64da550d61f3e8bac93415a08e3f4ef
                                              • Instruction Fuzzy Hash: 80F0A7397001148FCB10DB6C9900B9A77A6EBCC655B0941A4F909DB750DF30DC128B91
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c9d4d8459667c8f99bf6172778d7fc5c5ebbd74962213c64b5dcf3efa742b0f2
                                              • Instruction ID: 9edb0d8d002f4eaeae6f452a5f53b4ef2e76122f23bfcefed2655a60e7a171b7
                                              • Opcode Fuzzy Hash: c9d4d8459667c8f99bf6172778d7fc5c5ebbd74962213c64b5dcf3efa742b0f2
                                              • Instruction Fuzzy Hash: 7FF0EC3560AB80ABC313D32D941089E7FF6DDC717430940AED445CB262CA558C0A87E7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8fdc0a809c20f59120285d976ea1a8d8f70d49a0a295d762f252ed6d0816dff
                                              • Instruction ID: c0c37a24c3cf6f6abc2a6ad1dff60f4e43251c0fd925c341630d5aa884c8bfca
                                              • Opcode Fuzzy Hash: e8fdc0a809c20f59120285d976ea1a8d8f70d49a0a295d762f252ed6d0816dff
                                              • Instruction Fuzzy Hash: 62E0ED367002118F8610DB1DD454D67B7EAEFCE65571900AAF945CB321DA62DC01CB90
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc7cb5a63f39479c880f3b4a918bd22785f5f8cba3afcd02639a0f555fc67483
                                              • Instruction ID: b28ea45187ad28e13c0e69c20910b76591bc9d32f6c1c6f6e327bbbd4aafa7ab
                                              • Opcode Fuzzy Hash: cc7cb5a63f39479c880f3b4a918bd22785f5f8cba3afcd02639a0f555fc67483
                                              • Instruction Fuzzy Hash: A0E09A2130A3D20B8B16E2BCA8102AE6FDA4EC6061B1900FEED84CF643D9448C0683A6
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 653ae6ecf3f212ffc51bf1f6868af2148e6c3e1d5806f534fb9d5f935c35e19a
                                              • Instruction ID: b9b4479fa9d8aa2d6442ea7e6585293bc1810622f1c04364de48ed1bcad4aebf
                                              • Opcode Fuzzy Hash: 653ae6ecf3f212ffc51bf1f6868af2148e6c3e1d5806f534fb9d5f935c35e19a
                                              • Instruction Fuzzy Hash: D2F0273430E3904FC706677894081AD3F71EBC1314F04006FD506CB283CF2408058395
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1790bc465a4031aa8961495bbefba5a2828dd9f3a95070753514408309b2027b
                                              • Instruction ID: 38ab77b9d74298755cf1f6d82e679db2aa2a2499bb9943f5d262c4c2d3d801a0
                                              • Opcode Fuzzy Hash: 1790bc465a4031aa8961495bbefba5a2828dd9f3a95070753514408309b2027b
                                              • Instruction Fuzzy Hash: DCE09235B04450E78B09C66CE8554F9FF769FC9320F0485BEEC4AA7680CA72581BD7E1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf9f0f85984b1d7deac5aa721d4a5973946f09b5562f0242e3fe8ebf38f9ef71
                                              • Instruction ID: dc9c9c70494ac20f9c9016338f23ebb16b3ee8909b86e75276f4ebdfedf3e6ee
                                              • Opcode Fuzzy Hash: cf9f0f85984b1d7deac5aa721d4a5973946f09b5562f0242e3fe8ebf38f9ef71
                                              • Instruction Fuzzy Hash: 3BF03970A053048BD360EBB8E49C39ABBE9FB44310F004469E50EC7240DB39A8808B90
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a41f5a1dc69b4acd062e7bc62984bd04ba2d03df091f4353a5298fd27220568b
                                              • Instruction ID: 9036793f806ad59c71eeb17037651575f57766fcca2a179c5a7f9deb2d038241
                                              • Opcode Fuzzy Hash: a41f5a1dc69b4acd062e7bc62984bd04ba2d03df091f4353a5298fd27220568b
                                              • Instruction Fuzzy Hash: 02E0CD2675F3E50F4717917E64204AA6FA78AC712030E81FEE884CF212CC514C0A4361
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b140208d2ead17bfeafc9ce25724015975f4ea1be0c4522342e75b0a2f208605
                                              • Instruction ID: 036e34e283ae4deeca3d91f020fb0550457e797c93971bf17a72332fe7f26ad7
                                              • Opcode Fuzzy Hash: b140208d2ead17bfeafc9ce25724015975f4ea1be0c4522342e75b0a2f208605
                                              • Instruction Fuzzy Hash: 14E0863971971457CB097BB9A41C2AE7A66FBC4B29F04013EE61B87381CF79590183D9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56a57ea50d2f516570b3e2e36163cbbb520b52640527a8f453a82bec04d7eee1
                                              • Instruction ID: b41033b44cef0f577644cac3cff60d9800363bfed0ff4a2dd5b91f8201bf9bce
                                              • Opcode Fuzzy Hash: 56a57ea50d2f516570b3e2e36163cbbb520b52640527a8f453a82bec04d7eee1
                                              • Instruction Fuzzy Hash: 73D05E16301326075958F5BEA91077BB5CE8AC55A2F0900BABE08CB741EE44CC0243F9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bfc38182f2f4fa0373acc52252bbb39f40a8748e2acd82058c27a5183c43509d
                                              • Instruction ID: 59cfd0bd434a2b30184eb92df59c434120529e398bab50ea01ccec768701fd46
                                              • Opcode Fuzzy Hash: bfc38182f2f4fa0373acc52252bbb39f40a8748e2acd82058c27a5183c43509d
                                              • Instruction Fuzzy Hash: 8DE0C235700B14678216A75EA80085FBBEFEEC95B5708843EE409CB350DF64EC0647E6
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                              • Instruction ID: f53b6b5210fac79f9ab5ef15e0252a969be6b18409adbad4d2008e3986a41999
                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                              • Instruction Fuzzy Hash: 16E08635B00014978B08D559D4104D9F7A9DBCC220F04807AED0AE7380DA325916C7E1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d47b023b8bf7bd5f09117c354d9f4e56687359a36ea3ad483f6d26e5157ee6c1
                                              • Instruction ID: 98a235256bbfc1a3bec38e89066592096a9bb08236a0a3e9aa71f9e20d301305
                                              • Opcode Fuzzy Hash: d47b023b8bf7bd5f09117c354d9f4e56687359a36ea3ad483f6d26e5157ee6c1
                                              • Instruction Fuzzy Hash: A6E04834A5D286DBCB05EBACD44646DBFB0EB45214F0441ADED4AD7642D631544ACF81
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1567cb2e869f60515f6649b626cee87df6bbf042a539122a0f1eaa1070ce5bc6
                                              • Instruction ID: 0053dfa77833c1ab6b1e1a04be428aedab25e7b8c70b2066ae35e2bcfe8747a3
                                              • Opcode Fuzzy Hash: 1567cb2e869f60515f6649b626cee87df6bbf042a539122a0f1eaa1070ce5bc6
                                              • Instruction Fuzzy Hash: A5E08631E1A146CBCB0DFBA4D95A4FD7F30EA15301B41059DD95352551EA715A4FCB80
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5a0f663bdc05e9c1a382d916f298010adeb78bcdbc0156f00474f4a686cc7b9
                                              • Instruction ID: d41d402c93403afbc49c9516976cbcd923531af7dd6fbef78795045ef011683b
                                              • Opcode Fuzzy Hash: f5a0f663bdc05e9c1a382d916f298010adeb78bcdbc0156f00474f4a686cc7b9
                                              • Instruction Fuzzy Hash: 2DE0B6B0E012099E8B84DFB985415AAFFF0AB5D210B1085BED959D7201E63256128F81
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                              • Instruction ID: d392756baf730311679d508786dcd5fd1ab9c27481e05b9732fdeab308dd3adf
                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                              • Instruction Fuzzy Hash: ADD067B0D05219DF8780EFADC94156EFBF4EB48204F6085BA9919E7311E7329A128BD1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 156791aa560f69a234c18436487d47f0b4659110a7bc33c80a1191304db209e3
                                              • Instruction ID: 3cf348560a8ca8a664807f8b2118c786c1396da3ab9c839bcdfcfd9caf0a6311
                                              • Opcode Fuzzy Hash: 156791aa560f69a234c18436487d47f0b4659110a7bc33c80a1191304db209e3
                                              • Instruction Fuzzy Hash: 7CD067319191098BCB0CFBA4E85A4BDBB74FA14301F40416DEA1792691EA316A5ACAC5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa65f1a5c12595e95a09fcb14215a93a27b9d5c9b18651261ece4290f0edd991
                                              • Instruction ID: 5a69e46f2584ceefb1e1d3e7c8e52de5ca25c2aed52b7c85a0f63c110cd1bba1
                                              • Opcode Fuzzy Hash: aa65f1a5c12595e95a09fcb14215a93a27b9d5c9b18651261ece4290f0edd991
                                              • Instruction Fuzzy Hash: E0D01734A1920A8B8B08EFA8E44686EBFB4EB44200F004169ED4A93740EA306801CBC1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8e1f9ae44609510e7127cffc8e550d2c0cb65c0899c7318eae4d4c242e9da08
                                              • Instruction ID: 814890365cd5b54c6e2aff98ee7878cdb5f311456493d74e947b1c2ce6ce6f61
                                              • Opcode Fuzzy Hash: f8e1f9ae44609510e7127cffc8e550d2c0cb65c0899c7318eae4d4c242e9da08
                                              • Instruction Fuzzy Hash: 67D0C934548384DFC7158F7CE484E183FA0AF02214B0006DEE88A5A267CE36D898CF05
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8eae848d3f0798c05bf662a254dd0238f902099b2052643dadd127acb9f297a3
                                              • Instruction ID: 7a06b5fb53fdaa923fd237cb6d4c944e345ecb97542b43ff0fc844cb7c416e11
                                              • Opcode Fuzzy Hash: 8eae848d3f0798c05bf662a254dd0238f902099b2052643dadd127acb9f297a3
                                              • Instruction Fuzzy Hash: 39C02B3160C0014FEF08CB39885D7027B32EB43344F06818CC046C38A0CE384089CF04
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d7a0cd42e3270303a8c9ac761b18ef0fb22f51e4dbfbf5714a1dc733b600cd0
                                              • Instruction ID: 554931d2b451be811983b8a3fcd28a10953c7b4f1b576902f848aa26d8ef22d0
                                              • Opcode Fuzzy Hash: 3d7a0cd42e3270303a8c9ac761b18ef0fb22f51e4dbfbf5714a1dc733b600cd0
                                              • Instruction Fuzzy Hash: 62B09230044708CFC2486FB9A4089187729AF4021538105A9E91E1A3968E36EC88CA44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $c`k$4'q$4'q$4'q$4'q$84kl$84kl$pi5k$tPq$tPq$Jnl$Jnl$Jnl$Jnl$Jnl$rml$rml
                                              • API String ID: 0-1316400237
                                              • Opcode ID: 95ffd2d5579a0fac5092e2a9c90bad05ff55af0e81d0134f6c75650f2be11309
                                              • Instruction ID: a8899a15a57c6699efd8fb7bf5f70cacbf9083d8a1aa854b474e85a2adb99df3
                                              • Opcode Fuzzy Hash: 95ffd2d5579a0fac5092e2a9c90bad05ff55af0e81d0134f6c75650f2be11309
                                              • Instruction Fuzzy Hash: BDD136B1B0431ACFC7248B69980066AFBF2AFC5311F18C5BBD955DB251EB32D841C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q$cl$cl
                                              • API String ID: 0-3549127322
                                              • Opcode ID: 815403169f7baa19c615bd364b15c010eb874ea77b07c99ec3f5c1864f97fd2d
                                              • Instruction ID: a604c535321c38ae715bf0a888f6f399ddfbbe0ed55646ad286632eb04444b09
                                              • Opcode Fuzzy Hash: 815403169f7baa19c615bd364b15c010eb874ea77b07c99ec3f5c1864f97fd2d
                                              • Instruction Fuzzy Hash: 33A146B27043968FD7248B69D801766FFE6AFC6210F1980AFE945CB391EA31DC41D7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fq$4'q$4'q$4'q$4'q$rml$rml
                                              • API String ID: 0-1764243331
                                              • Opcode ID: 07c306a68ad71180f2c87bda1d83fc4c3020ab0d0d737265c1f64e75115c3e39
                                              • Instruction ID: 50f20fc5400a347a47781d1b8b94e2d035d7dfc805f1af09493a31712569beb4
                                              • Opcode Fuzzy Hash: 07c306a68ad71180f2c87bda1d83fc4c3020ab0d0d737265c1f64e75115c3e39
                                              • Instruction Fuzzy Hash: EDF125B1B043468FD7259B69D41176AFFA2AFC6211F18C0BAD546CB2D2EB31DC42C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$$q$$q$$q$cl$cl
                                              • API String ID: 0-3173862579
                                              • Opcode ID: b8a821fb2b62ac146c0d421b5f485e0f80a5fa3b6d3b5660b78b77387cd8b881
                                              • Instruction ID: 44f0298d8bec21c617070ec4fba23eb1b12890ee543788298f45ac52cb067845
                                              • Opcode Fuzzy Hash: b8a821fb2b62ac146c0d421b5f485e0f80a5fa3b6d3b5660b78b77387cd8b881
                                              • Instruction Fuzzy Hash: 11515AF17043869FDB244A69980177AFBA2AFC6221F24807BD885CB241FB31C842D7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tMml$`q$`q$`q$`q
                                              • API String ID: 0-2236247844
                                              • Opcode ID: 30ed8a3a0e72393b3f146b0f12370b7e89e5f1bd7d46ddbe4ac9d4c8b52f193f
                                              • Instruction ID: 032696ada4b60564a460387aa8aa5cd6ec84e0709c8aa27b9f08b02665395585
                                              • Opcode Fuzzy Hash: 30ed8a3a0e72393b3f146b0f12370b7e89e5f1bd7d46ddbe4ac9d4c8b52f193f
                                              • Instruction Fuzzy Hash: CEB19774E0031A9FDB54DFA9D580A9DFBF2BF88204F148629E819AB314DB34A9058F91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1462205876.0000000003650000.00000040.00000800.00020000.00000000.sdmp, Offset: 03650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_3650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tMml$`q$`q$`q$`q
                                              • API String ID: 0-2236247844
                                              • Opcode ID: f52c1217a1330e1a3b87e3679d2cf5bd3ada5671bd299dca98754d0ba7157b5c
                                              • Instruction ID: 55fb69caaab7341a2a9c124c8b6f7305158a43d9268dcc23213783d533b4834b
                                              • Opcode Fuzzy Hash: f52c1217a1330e1a3b87e3679d2cf5bd3ada5671bd299dca98754d0ba7157b5c
                                              • Instruction Fuzzy Hash: 23B19574E0071A9FDB54DFA9D580A9DFBF2BF88204F148629E819AB314DB34A9058F91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $q$$q$$q$$q
                                              • API String ID: 0-4102054182
                                              • Opcode ID: efbd22c7c8a806d94c2317a6618a88777976558e17f131549323fe65015a2874
                                              • Instruction ID: fb53d2a72d0f02be0c9ddf3946493fb2e20efc69e792ef762ad37a9b8a2c828a
                                              • Opcode Fuzzy Hash: efbd22c7c8a806d94c2317a6618a88777976558e17f131549323fe65015a2874
                                              • Instruction Fuzzy Hash: 7C2147B17103069BEB345A6AB811727FB96AFC0711F24842EA94B8B381ED75D812C363
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: pi5k$pi5k$Jnl$Jnl
                                              • API String ID: 0-3779286662
                                              • Opcode ID: 1c74c92178529e7d68c9a34ada4ffb2a3eb9985dbba65e264a1580affa4d4085
                                              • Instruction ID: bbebfdaa9b45c9798620c9c68d8611201c481be894cf46a7c59169d045d52b11
                                              • Opcode Fuzzy Hash: 1c74c92178529e7d68c9a34ada4ffb2a3eb9985dbba65e264a1580affa4d4085
                                              • Instruction Fuzzy Hash: 9431E2B1904386DFCB21CF25C5856A6FBB4FF16321F0880AFD4448B151E334E985CBA1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$$q$$q
                                              • API String ID: 0-3199993180
                                              • Opcode ID: 8b1757151f50bf3669067dafed54d7a79cb2fa7d247c670f9dc419c71c304976
                                              • Instruction ID: 051a82a180ddb6dddcb8fb0333bdd44419014ec6874e54fb95cf05eac8fa2ffd
                                              • Opcode Fuzzy Hash: 8b1757151f50bf3669067dafed54d7a79cb2fa7d247c670f9dc419c71c304976
                                              • Instruction Fuzzy Hash: 8401A25170D7964FC32712652821159AFB25BC361071E90D7D881CB3D7DD149C06C3AB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.1468779753.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7d70000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $q$$q$Jnl$Jnl
                                              • API String ID: 0-793879174
                                              • Opcode ID: 9242779a9b601d016e2cf04a1828add3ecae4660bc720411c4732a04395cfb37
                                              • Instruction ID: cabf21854110fe0ef5efa74552bad989a79cff01d71eb6ace2c684ea06e68661
                                              • Opcode Fuzzy Hash: 9242779a9b601d016e2cf04a1828add3ecae4660bc720411c4732a04395cfb37
                                              • Instruction Fuzzy Hash: BD012472A0E3D14FD32706291C10113ABB2BFC662071A45DBD940CF26AE9349C45C376
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81b3dce75d31402d7dea22d9890869d905244ba7f6c354e77e8dd6f98c1390d0
                                              • Instruction ID: 3674f224b8c4f95e0bf0078865ecb6f26a5a9828380e132f4bb68a9cd1ef4bbc
                                              • Opcode Fuzzy Hash: 81b3dce75d31402d7dea22d9890869d905244ba7f6c354e77e8dd6f98c1390d0
                                              • Instruction Fuzzy Hash: FA917670F007145BDB19EFB988106AEBFE2EF84700B44892DE516AB344DF74AE068BD5
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e41639da7770f33080a1177c38e9a86ec6993685ee7db2b475a2ac13b26938af
                                              • Instruction ID: 20f4fc55fab1f62836b1e89c2c8f0d6c7ad59c1ccf2203746608bc34d88e5f22
                                              • Opcode Fuzzy Hash: e41639da7770f33080a1177c38e9a86ec6993685ee7db2b475a2ac13b26938af
                                              • Instruction Fuzzy Hash: 9E916670F007145BDB19EFB9881066EBBE2EF84700B44892DE516AB344DF74AE068BD5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$pi5k$pi5k$pi5k$pi5k$pi5k$|,7k$Jnl$Jnl$Jnl$Jnl$Jnl$Jnl$rml$rml
                                              • API String ID: 0-2153264186
                                              • Opcode ID: 7afa1ecb036fd433a802a1f6ba742dadd9cccd3de659be597809f661180f9d1e
                                              • Instruction ID: 3944ed6963de4204821372fd4512a63baa71750311ad5192a4f247186a5a5eb7
                                              • Opcode Fuzzy Hash: 7afa1ecb036fd433a802a1f6ba742dadd9cccd3de659be597809f661180f9d1e
                                              • Instruction Fuzzy Hash: 512227B1B04306DFDB369F7984417EABBE1BF89211F14806AE906CB291DB35DC49C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$4'q$4'q
                                              • API String ID: 0-4210068417
                                              • Opcode ID: 99c9a1454ec525353a04265da9c1afb23d13b36b4b04fea260935db2e59f6596
                                              • Instruction ID: 1100033226b5c659562bf699ab8a182e6cb1187c2c7ad96d16d3f3eef0d884e5
                                              • Opcode Fuzzy Hash: 99c9a1454ec525353a04265da9c1afb23d13b36b4b04fea260935db2e59f6596
                                              • Instruction Fuzzy Hash: F01249B1B043458FD7369B7898117EBBBA2AFC5210F19C46AD905CB2D2DB31EC41C7A6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: cl$cl
                                              • API String ID: 0-2006161966
                                              • Opcode ID: 1e841c4c1b1fa888991f790dfd6b0b8f468f442b20f492407b4d04ac306c2f47
                                              • Instruction ID: e7f85d39affe683abec4a7543d9ee25d6dcbbf7b8e0cf3b86ba88ba48f85d9a5
                                              • Opcode Fuzzy Hash: 1e841c4c1b1fa888991f790dfd6b0b8f468f442b20f492407b4d04ac306c2f47
                                              • Instruction Fuzzy Hash: C4B14A71B04249AFCB359B79D4217EABBE2AFC6210F1AC07AD505CB281DB31DC45C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: pi5k$Jnl
                                              • API String ID: 0-845687747
                                              • Opcode ID: 8050692fe996d11cf7e41f9574870e6a7405553adcfda5aa2b1c4f88f98cf5ad
                                              • Instruction ID: ecbfe9cc177230e377b9639debe695ef829fd5afdb9f2bca31f49b280aa0041a
                                              • Opcode Fuzzy Hash: 8050692fe996d11cf7e41f9574870e6a7405553adcfda5aa2b1c4f88f98cf5ad
                                              • Instruction Fuzzy Hash: 6041BE75A102158FCB21EF78D954AAEBBF1BF49300F048269E415AB3A1CB70BD05CBA1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: pi5k$Jnl
                                              • API String ID: 0-845687747
                                              • Opcode ID: 95129a1c9596627edf0fca7d1806bbd2d37c68b6b2969cfb82a81682db44aa72
                                              • Instruction ID: 042e89c903f2c494756551b00c7f238c5f4b87c5fbf8b8e21fa3dc68f8cffbdf
                                              • Opcode Fuzzy Hash: 95129a1c9596627edf0fca7d1806bbd2d37c68b6b2969cfb82a81682db44aa72
                                              • Instruction Fuzzy Hash: CA317E34A002059FCB24EF79D994A9EBBF2FF48700F548629D405AB3A4DB70BD05CB91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (q
                                              • API String ID: 0-2414175341
                                              • Opcode ID: 39abeb408e2f5c958991013c187abc27d527c9dd86e4dc8193ef608a58a1abd9
                                              • Instruction ID: 59b99350e882769cf3dd40ba10beb98b8a99d9f43fc1b45859556718875e3ff5
                                              • Opcode Fuzzy Hash: 39abeb408e2f5c958991013c187abc27d527c9dd86e4dc8193ef608a58a1abd9
                                              • Instruction Fuzzy Hash: 8E412C34B142058FDB14DFA4C954AAEBBF2AFCD711F5440A9E906EB391DA35EC02CB61
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (&q
                                              • API String ID: 0-583763264
                                              • Opcode ID: e5b7545c610b667da1e5b7a9fa68a3008e99007a849ba8c5cc009dcebf91be45
                                              • Instruction ID: 67f9d6bfdbaba216242b9a172754425f2e8f6020032a9c7d5f13d6f725859623
                                              • Opcode Fuzzy Hash: e5b7545c610b667da1e5b7a9fa68a3008e99007a849ba8c5cc009dcebf91be45
                                              • Instruction Fuzzy Hash: 7321E275E002488FCB14DFAAD80079EFBF5EB88320F14846ED519E7340CA74A9058BA5
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3287df137660d70897c74c60b84410f0402b446eca895240016e407ad9b9c0c7
                                              • Instruction ID: b50407ca04e74bf6746e06881491d098b73a1ff379b329e773492e4b86270cab
                                              • Opcode Fuzzy Hash: 3287df137660d70897c74c60b84410f0402b446eca895240016e407ad9b9c0c7
                                              • Instruction Fuzzy Hash: BB918074B202158FDB25DF78D980A6DBBE6AF88701B154079E902EB360DF71EC02CB91
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81e164b2b3dd9ed079603970fe6fc12a1db0ed23990fcd3a7354792b3ff32fe2
                                              • Instruction ID: 552020d04d7097b82b72e33c4123427aa26c0dd94c6d4151a5a4d0a6ea5058a7
                                              • Opcode Fuzzy Hash: 81e164b2b3dd9ed079603970fe6fc12a1db0ed23990fcd3a7354792b3ff32fe2
                                              • Instruction Fuzzy Hash: BF918D74A00205CFCB15CF58C894AAEFBB1FF49310B6585A9E915AB365C736FC51CBA0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3fe3d3b94cd7e3bd2ae896465cf836b22217c4ef44ee9f04161f86edacab6634
                                              • Instruction ID: 30fee50d6f60470e9bc795298440c4f186788838d51c2cea41fe16994fc27d94
                                              • Opcode Fuzzy Hash: 3fe3d3b94cd7e3bd2ae896465cf836b22217c4ef44ee9f04161f86edacab6634
                                              • Instruction Fuzzy Hash: 30616B70E002499FDB14DFA9D944B9DFFF1EF88310F18816AE919AB360EB74A805CB50
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae21fba3a53bc3cb732530f1473a5314ee5ed87af1fbdcbd55b6d7a27972c19b
                                              • Instruction ID: 6077fbc45528a54f89844e09fff0da69c276492ff041a3ac17262364682a8198
                                              • Opcode Fuzzy Hash: ae21fba3a53bc3cb732530f1473a5314ee5ed87af1fbdcbd55b6d7a27972c19b
                                              • Instruction Fuzzy Hash: B151CE347202059FD7149B78DC44A2BBBEAFFC9610B5584B9E509CB352EB35EC02CBA0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5010b2ea6cfd2efb17a669b169c7daac9f5e695b461a1cc2e4cd06647cd8ee67
                                              • Instruction ID: 28491ef88b12ff9163d2f7006907eab88450397943885fc8e839f4bd5270d9d4
                                              • Opcode Fuzzy Hash: 5010b2ea6cfd2efb17a669b169c7daac9f5e695b461a1cc2e4cd06647cd8ee67
                                              • Instruction Fuzzy Hash: A8612871E102099FDB14DFA9D984B9DFBF1EF88310F188129E919AB354EB74A841CB50
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 650f517641c0eb0bde6772181d705fc87600a67c2ce3221cb0fe9d981643f83e
                                              • Instruction ID: 03a43649b665c45df4512092f910dc1e1afd2470be2af44e99080f721f0b65c8
                                              • Opcode Fuzzy Hash: 650f517641c0eb0bde6772181d705fc87600a67c2ce3221cb0fe9d981643f83e
                                              • Instruction Fuzzy Hash: 95419774B103058FEB21DF78D994E6ABBE6EF882047498069E545CF365EB30FD028B91
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 783fd420b3c0619332f0cbc671f6a5a4761f53c4673150107422f3256cb93571
                                              • Instruction ID: 097147610c91d1273c2764ce1c19fc43ee83c261bd096bfc9031dfb13ae1002b
                                              • Opcode Fuzzy Hash: 783fd420b3c0619332f0cbc671f6a5a4761f53c4673150107422f3256cb93571
                                              • Instruction Fuzzy Hash: A94157B4B102058FDB20EF78C994E6AB7E6EF886047598469E545CF365EB30FD028B91
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4676eeafbdbe4dd9614b7b8e54de25ba16acd7d101830096f199782b664512b
                                              • Instruction ID: 5581b62cd39edf65cae80eebf330fb6c07a5ddf0da3c87e350028cc73c6f46cf
                                              • Opcode Fuzzy Hash: b4676eeafbdbe4dd9614b7b8e54de25ba16acd7d101830096f199782b664512b
                                              • Instruction Fuzzy Hash: 45412AF06002028FCB3A9F64C4516FABBA2EF85200F99845AD911AF2D1D731EC55CB65
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 41aea7e6449e3cffac34f64fb6f1447b007cbd7345e88a7b1bb901892fefaa8a
                                              • Instruction ID: e853bd310629b0e3ec0a0fdd49ef7c895a36f407489bec308c732b3e9ff89481
                                              • Opcode Fuzzy Hash: 41aea7e6449e3cffac34f64fb6f1447b007cbd7345e88a7b1bb901892fefaa8a
                                              • Instruction Fuzzy Hash: 2A416974A10205CFCB05CF58C898AAEFBB5FF49310B6185A9D915AB364C736FC91CBA0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7537afca426b429d1491cca611154a0cf91317ccd00dcd9d5bbafba1a1826214
                                              • Instruction ID: 38d60f6b959271f49c973812a4a693fc60c0dfe4a21c2b6fa9cf69856fc9b083
                                              • Opcode Fuzzy Hash: 7537afca426b429d1491cca611154a0cf91317ccd00dcd9d5bbafba1a1826214
                                              • Instruction Fuzzy Hash: 6B31CE353002059FD714EB79E844B9ABBE2EFC4211F048139E609CB360DF74A80ACBA1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e22456e1a082d7bf45b386b06bacb82203f64b83d12d9c2f5eb74973e3f02d10
                                              • Instruction ID: acc2a61fe3dbc98f55584e43cd6421f01dce085471f68a31236176971246c805
                                              • Opcode Fuzzy Hash: e22456e1a082d7bf45b386b06bacb82203f64b83d12d9c2f5eb74973e3f02d10
                                              • Instruction Fuzzy Hash: 5F311D34B102068FDB14CFA4D958AAABBF2AF8D711F1440ACE906AB351DB71EC01CB60
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6589f03d0addaa09e65ef32acc9ce006dd39a57439f21959946830eca78e3b5
                                              • Instruction ID: 3d37e9bcd078c065b9f415fb3536dede6762475da66a33ab38868918e7456cbb
                                              • Opcode Fuzzy Hash: a6589f03d0addaa09e65ef32acc9ce006dd39a57439f21959946830eca78e3b5
                                              • Instruction Fuzzy Hash: 43318E71F102099BDB19DF79D9557AEBBF2AF88310F048029E509EB350EB749C418BA1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ada0ce932ab916f15b0b610f1aec1e8f5d415a8d8aaff0b94851a00e1bd528a6
                                              • Instruction ID: 6f0f72bb0fc6df6935581d8ec28b31519e399ae42ae128cb69275f7fdd56827f
                                              • Opcode Fuzzy Hash: ada0ce932ab916f15b0b610f1aec1e8f5d415a8d8aaff0b94851a00e1bd528a6
                                              • Instruction Fuzzy Hash: 4331B4B4A002099FDB00EF64D855BFE7BF2EF85700F1584A9E100AB395CA399E41CBA1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 913715763994e83bda3ecc3bf1174966c9b37a854044f906091533f433c31d9d
                                              • Instruction ID: 3e36adeb0955523811151b3b88e01f3c8cfc966ebe6b714761c111823378f104
                                              • Opcode Fuzzy Hash: 913715763994e83bda3ecc3bf1174966c9b37a854044f906091533f433c31d9d
                                              • Instruction Fuzzy Hash: 0C311A75B102058FCB18EF69D854AAEBBF2AF88610F144169D406EB3A0DF75AC45CBA1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b19beb55139032865dbb0167591ba216b6b74ee8c5dc53608d20f8d4e68fffb1
                                              • Instruction ID: eabfd18c1ccd337fbf23ca85ad948ec63a228b0a77693739bfc2d307463a6e17
                                              • Opcode Fuzzy Hash: b19beb55139032865dbb0167591ba216b6b74ee8c5dc53608d20f8d4e68fffb1
                                              • Instruction Fuzzy Hash: 82313A70F102099FDB19DF69D9947AEBBF6AF88340F148039E509EB350EB749C018B90
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d24eecbd46eff91919e1e0d7bc3f1109d622b8da40e85fa44d444b8ecb4b86db
                                              • Instruction ID: 1c6fd8c884561ea7728b417dd363e0b7235844768cca878537763a4a2e22a664
                                              • Opcode Fuzzy Hash: d24eecbd46eff91919e1e0d7bc3f1109d622b8da40e85fa44d444b8ecb4b86db
                                              • Instruction Fuzzy Hash: C021F1B1A10206CFDB3A8F59C545BF577E0BF15321F05C066E9099B2D0C334D888CBA9
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca1ac8c5d03afe32cb93c8dc87309e99d80445ce39eedfad980370b198c4bf4e
                                              • Instruction ID: c6e5d7fee292661e13823ca5c22f4db46058720656578f3ac96c318d7db02a0d
                                              • Opcode Fuzzy Hash: ca1ac8c5d03afe32cb93c8dc87309e99d80445ce39eedfad980370b198c4bf4e
                                              • Instruction Fuzzy Hash: 87312B70B102058FCB18EF69D858AAEBBF2EF88710F144569D406EB3A0DF75AC41CB90
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57a96dcabee5781f82fd78986f705c95663e091d9f821a55d5e20b9f15713f9d
                                              • Instruction ID: c5e82d8a5a0c83ba7d35e30186b1be4495dae87a0a7406c2681804fe35474f87
                                              • Opcode Fuzzy Hash: 57a96dcabee5781f82fd78986f705c95663e091d9f821a55d5e20b9f15713f9d
                                              • Instruction Fuzzy Hash: 2831ACB5A153448FEB60DF6AD4897CAFBF2EF88320F28C02AD51D97215DB746481CB61
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9e1b1c7ead1708625a9df49db335af937859f8c601a96ad96912a538f57c985
                                              • Instruction ID: 65339937283c3684f1b6f0c4351afd97ca5ae1d00014a17bcd2801e950510ac8
                                              • Opcode Fuzzy Hash: b9e1b1c7ead1708625a9df49db335af937859f8c601a96ad96912a538f57c985
                                              • Instruction Fuzzy Hash: 623141B4F002099FEB04EFA4D895BAE77F2EF84700F148469E515AB395DA39AD01CF90
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b02c94a9341549e42341d473a1af224ff1728042d64fc8601595e64b59cedcb2
                                              • Instruction ID: 04533d59b9dad85adbe6defbd0ac4ea17052c0041d3d72a7822dd9d99749cd6f
                                              • Opcode Fuzzy Hash: b02c94a9341549e42341d473a1af224ff1728042d64fc8601595e64b59cedcb2
                                              • Instruction Fuzzy Hash: 0721D1B5A10206CFDB3A8F59C585BF577E1BB55321F05C066E9098B2D0C334D98CCB65
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1502107120.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_b8d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 240b00a726edf6dd9aea9fc5bbbcd9fdd45c1419272c82d060ee4cca4c7c7264
                                              • Instruction ID: ae88bf97ceb1f267ebf565727fbe790ba312cd1c74bfab920b0f32697fa77cc8
                                              • Opcode Fuzzy Hash: 240b00a726edf6dd9aea9fc5bbbcd9fdd45c1419272c82d060ee4cca4c7c7264
                                              • Instruction Fuzzy Hash: C321E575604301DFDB05EF50D9C0B26BBA5FB88314F28C5EAE9090A366C336D856CBA1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd2f8e887777641b8c30f819c581eb4d86f0dfed5aba9b5406f8ac3adca735bf
                                              • Instruction ID: 682c1e2f0dad3596e472baf2e99ee3bb201483904bd91c4f8a410512a9cc47a9
                                              • Opcode Fuzzy Hash: fd2f8e887777641b8c30f819c581eb4d86f0dfed5aba9b5406f8ac3adca735bf
                                              • Instruction Fuzzy Hash: 4721E0B5A10206CFDB3ACF69C585BF577E1BB15321F05C066E9098B2D0C374D988CBA9
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e17d536aef84666cf650bbd6245fa51c1db1e220f5f6f44eb5eaa2d4a111a676
                                              • Instruction ID: e34241eda1db0fef7256d3a07e880e32c3ba05e889f32519c7e1eba35c937748
                                              • Opcode Fuzzy Hash: e17d536aef84666cf650bbd6245fa51c1db1e220f5f6f44eb5eaa2d4a111a676
                                              • Instruction Fuzzy Hash: 6B21DEB5A10206DFDB3A8F69C585BF577E1BB15321F05C066E9098B2A0C374D988CBA5
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1502107120.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_b8d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65db643c34cdfc7d26b1022a45c31da4a84c91833983f6b0275fa2148b4fd0f9
                                              • Instruction ID: b7a25eeb7c022b941764a000f3899eb616ff79aeb00b8af9d7482e6e3d0effa8
                                              • Opcode Fuzzy Hash: 65db643c34cdfc7d26b1022a45c31da4a84c91833983f6b0275fa2148b4fd0f9
                                              • Instruction Fuzzy Hash: 9F210475604245DFDB14EF24D9C4B26BBA5EB88324F24C6BDD8094B3A7C336D846CB62
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5db7a052f9d231e5bdad17f0f70396980c842848c4c7317ca6c2d57bda5a8a1c
                                              • Instruction ID: 386a8cbd37128a9c1c61387a2d5bf0f61ebf2bea67180da35d545269ccffdc9c
                                              • Opcode Fuzzy Hash: 5db7a052f9d231e5bdad17f0f70396980c842848c4c7317ca6c2d57bda5a8a1c
                                              • Instruction Fuzzy Hash: CA216BB4A157448EEB60CF6AC48878AFBF6EB88310F28C02ED55D97215D7746481CB61
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 991bb26e81f99e7db9de5ad207d87ba787fa57ea247f0963395504febe1689a5
                                              • Instruction ID: 9b7c7cd8633b8cacab24457f2702dc8ed382e70ca3ad364c927da33ce14fc44c
                                              • Opcode Fuzzy Hash: 991bb26e81f99e7db9de5ad207d87ba787fa57ea247f0963395504febe1689a5
                                              • Instruction Fuzzy Hash: B8214F35B001158FDB14EFA8E8449DA77F2EFCC625B0041A5E909DB755DB34ED128BA0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5b4411d532a5a289931f5d3b1934031bff5ce8f9eab139aaaccd33704bcf96a
                                              • Instruction ID: 4d47ff799697a3399c7df91851ac6de9673768edd650d71df29ee64924d23125
                                              • Opcode Fuzzy Hash: b5b4411d532a5a289931f5d3b1934031bff5ce8f9eab139aaaccd33704bcf96a
                                              • Instruction Fuzzy Hash: 5111E1B0A10216DFDB35CF68C580BEBB7E1BF49220F058066E60D8B291D731D849CBA1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1de6bdc6277f673dd06733c9da876445f7b273756dc1f383d48d478586d8ff21
                                              • Instruction ID: ba3c451d3118b5ece419a890e4771e5ce0bbbb27c3641b09bd1c6e6e0a101138
                                              • Opcode Fuzzy Hash: 1de6bdc6277f673dd06733c9da876445f7b273756dc1f383d48d478586d8ff21
                                              • Instruction Fuzzy Hash: 9911E6B1A1028AEFCB35CF69C590BEAB7F1FF45611F068066DA0997291D330E880DB61
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e995efcb617c2363af25c5e633f2e68a7af4103cec6288b86bdf59d6a4edf731
                                              • Instruction ID: 0b819ae59ae004843c899f3089ac886c9b24aecc2862e1c34bedd7eebdd98afe
                                              • Opcode Fuzzy Hash: e995efcb617c2363af25c5e633f2e68a7af4103cec6288b86bdf59d6a4edf731
                                              • Instruction Fuzzy Hash: 8E11E6F1A1028AEFCB35CF69C590BF6B7F2AB45211F178166D50997291D330E841D761
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c3f7da2e7ae065d1436ee3a0c87bea79f7e338b00efa5ff1513b35dfeb09e9f
                                              • Instruction ID: cc3bc133efe1ee2f4597e9d08f9d5abd4b3ab8d2fde601ca9c69883775668dce
                                              • Opcode Fuzzy Hash: 7c3f7da2e7ae065d1436ee3a0c87bea79f7e338b00efa5ff1513b35dfeb09e9f
                                              • Instruction Fuzzy Hash: A011A23490A3819FD713DF78C8A46A9BF70EF07314B1580D7C0909B2A3C627A849CB65
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1502107120.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_b8d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                              • Instruction ID: 9b07ad0bc2573e3f5ed01451e9d5d68c901809642abbe13ba1a71d62c44c9c92
                                              • Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                              • Instruction Fuzzy Hash: 11218E76504240DFCB06DF50D5C4B16BFB2FB48314F28C5EAD9494A766C33AD85ACB91
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 418cd6d50e05e6f56ef591001b5496657b50ebf10817191babb4f159c12de5fc
                                              • Instruction ID: c2daa2e5ce344bf0378c715f8e9fb7f8e4950c97739a78191b1eed25a8f84d32
                                              • Opcode Fuzzy Hash: 418cd6d50e05e6f56ef591001b5496657b50ebf10817191babb4f159c12de5fc
                                              • Instruction Fuzzy Hash: 9201DF6760E3869ECB2343786C506C1FF359B42124F4A02E7E590966A3D618AA0AC3B2
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9946655ca2f94659af100e77d4e4534acb6b963956bd6d09c5d0aad2f262d030
                                              • Instruction ID: 369f4059b0dad5ecb0f2e60f379a3138906a20295b7a537def8a081d34e6d701
                                              • Opcode Fuzzy Hash: 9946655ca2f94659af100e77d4e4534acb6b963956bd6d09c5d0aad2f262d030
                                              • Instruction Fuzzy Hash: 3701C0357083448FE728DB35D994A9ABFE5EF45210B1488EEE04AC76A2CA34FC46D711
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1502107120.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_b8d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
                                              • Instruction ID: eeec8e8b8a094a376d3b321d3c656a60095eaf315fe07bb131a21510acec3e42
                                              • Opcode Fuzzy Hash: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
                                              • Instruction Fuzzy Hash: 4C119D79504284DFCB15DF14D5C4B25BFA2FB84324F28C6AED8494B666C33AD84ACB61
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb6139ee54f33200d3eaa929a18b963ba134d92aaf9809d9ba09be0af710fbdb
                                              • Instruction ID: 9a773f2641600533f159e53eee8d1314e7b0fe9851d43e3aac3e1464da8ed8ae
                                              • Opcode Fuzzy Hash: bb6139ee54f33200d3eaa929a18b963ba134d92aaf9809d9ba09be0af710fbdb
                                              • Instruction Fuzzy Hash: C201F536B341449BCB10D774EC119EDFBB1AF88221B5480BAE5129B351DA60AC46CBA1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 815b917ac573ce3a494b6eb1dc9fe13a61763b53fe6bcd4b6db6e20812096f0f
                                              • Instruction ID: ffd0c7d9c4ab550e0d9086041c78f76c2082cff600c9b8284b5d41b56140414e
                                              • Opcode Fuzzy Hash: 815b917ac573ce3a494b6eb1dc9fe13a61763b53fe6bcd4b6db6e20812096f0f
                                              • Instruction Fuzzy Hash: C0113935204750CFC728DF75D440856BBF6EF8921532089ADD08A87BA0CB32F846CB50
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7159ead7786c1289a9e3aa94aad3fc0e6622c1e22952bf1552c96156b5adcb1
                                              • Instruction ID: c8a6082e931ddff4d35b52bf238a5106effc8751df983f0ae644239e3f9470e0
                                              • Opcode Fuzzy Hash: e7159ead7786c1289a9e3aa94aad3fc0e6622c1e22952bf1552c96156b5adcb1
                                              • Instruction Fuzzy Hash: CF019235700218CFCB119F74E908AAEBBF5FB88315F044069E51AD3351DB359901CFA0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ce35c4054cff6f6dcd91e76bbdef74b6935f9a8fd781678c233e52d4c8666d70
                                              • Instruction ID: 1fd9e513628ef206b09d429d5ed341ad973c86f18fb143df3d27e030797e426e
                                              • Opcode Fuzzy Hash: ce35c4054cff6f6dcd91e76bbdef74b6935f9a8fd781678c233e52d4c8666d70
                                              • Instruction Fuzzy Hash: 38F0C2363093A05FD7118A799C54ABBBFE9EF8662170840ABF845C73A2CA74DE048770
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1502107120.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_b8d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd4dfce6a7c31967bfe094cd92d6b3b5c9bc057faf1498a905aa76d6ab3e4e3e
                                              • Instruction ID: 9e8489d221ed1840e28b675c0c571cad848a4cbd0db8d64860a853adc85f6be9
                                              • Opcode Fuzzy Hash: bd4dfce6a7c31967bfe094cd92d6b3b5c9bc057faf1498a905aa76d6ab3e4e3e
                                              • Instruction Fuzzy Hash: 1601F2315083049AE7206A25DCC4B66BFD8DF41325F18C19BEC480F2D2C6799846CBB6
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e19fde47017a6fcdcb3af8a2dc3347875bf9451bdddea560b97f30888ba44740
                                              • Instruction ID: 01a9d2005cf6706232b2fe5456fb5470237e98e1174ad87e87249aaf28603341
                                              • Opcode Fuzzy Hash: e19fde47017a6fcdcb3af8a2dc3347875bf9451bdddea560b97f30888ba44740
                                              • Instruction Fuzzy Hash: 28F0E9363246145BC712625DBC118EEFBAADDC65B13440077E55ACB240DA65BA09C7F3
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1502107120.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_b8d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae7084dab46b7c1a1a6e8860871f6d682451a6549188450fbf87a950ceb850b7
                                              • Instruction ID: 4e1a0cfeed2e1952fa79f90e5798c0965e97f0a889bd5b9bfda3f35dac6d55e9
                                              • Opcode Fuzzy Hash: ae7084dab46b7c1a1a6e8860871f6d682451a6549188450fbf87a950ceb850b7
                                              • Instruction Fuzzy Hash: 0D015E6254E3C09FD7128B258C94B52BFA4DF52225F1981DBD8888F1E3C2699848C772
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c09e742e49340d6e1e39e39f41d0cfab35e67c95ae34b7207e4028e3491c8c04
                                              • Instruction ID: 1fc50298dc1fee711d8126bc746bdfd4cd7b507a332392ca0018f0c75b8e2989
                                              • Opcode Fuzzy Hash: c09e742e49340d6e1e39e39f41d0cfab35e67c95ae34b7207e4028e3491c8c04
                                              • Instruction Fuzzy Hash: 89F028B66082045BE3016B79D0053EBBBA5EFC1714F1441ABD5054B386CE356E45C7E1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 537b8d75ecab87d32a64028ad3092fd74869a4024614cf40736e729d83b1c2e0
                                              • Instruction ID: ad5d3032e74e5642d97a14dbd786201f404e37475c702a5d91c097325918284e
                                              • Opcode Fuzzy Hash: 537b8d75ecab87d32a64028ad3092fd74869a4024614cf40736e729d83b1c2e0
                                              • Instruction Fuzzy Hash: 6FF022313053406FC7019765EC449AFBBF9EBCA12270005AEE40AC7252DB306C46C3B1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1502107120.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_b8d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01d2ffe01c6bccc080b4160e8a4e9fef3be94bc6d2f9d781f1bab692ceda2fae
                                              • Instruction ID: 88077841b4e23c8e290a3baf904a1ac427aad4e6cbb53ef268735cb19d1040d6
                                              • Opcode Fuzzy Hash: 01d2ffe01c6bccc080b4160e8a4e9fef3be94bc6d2f9d781f1bab692ceda2fae
                                              • Instruction Fuzzy Hash: 67F0E776600600AF97209F0AD985C27FBE9EBD4770359C59AE84A4B662C671EC41CBA0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd78d884b1a94d55770370c25183ffb95aae3345c6a14f99c70612f208827862
                                              • Instruction ID: 2cc473dd60e349e0d04da8575886934b6f22f3b85da7f9c953c8670e3eae355e
                                              • Opcode Fuzzy Hash: dd78d884b1a94d55770370c25183ffb95aae3345c6a14f99c70612f208827862
                                              • Instruction Fuzzy Hash: 81E02BB771524927D715227A1C003FEFE9E8EC65D47880076CB05C7542EE11FC0A43A1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c8869db56324e751a2bff01099c95929b8a648cafeac9f2cb9dd9079a5ecec2b
                                              • Instruction ID: 86cec01c76ba04631f8c1cc36a01cebf3f03a74573e5fcf0a74118057eae0f48
                                              • Opcode Fuzzy Hash: c8869db56324e751a2bff01099c95929b8a648cafeac9f2cb9dd9079a5ecec2b
                                              • Instruction Fuzzy Hash: 59F05EB65063044FD7609BB8E8A93D6BFE4FB41320F00446BE15AC7342DB39AD85CBA0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e36db7549fdee638725a4badcf4cf0336fdb6dad32fcb11af25bf331f9bf0801
                                              • Instruction ID: e1ae865b018c363310e60ec9e594db496d910477d03dfbaf6576ff032425c084
                                              • Opcode Fuzzy Hash: e36db7549fdee638725a4badcf4cf0336fdb6dad32fcb11af25bf331f9bf0801
                                              • Instruction Fuzzy Hash: 1FF0E2393142014FC3118F2CE854C76BBFAAFCA61031900AAE584DB732CA61EC01CB61
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6158a3e2d0f4ba48505d558c6217242befb828004b871b779820aea1ac1e88fc
                                              • Instruction ID: c3780f6f8a36d89e4ed75a262f996b260ebade24b8da567b076f6c1cf7ce6645
                                              • Opcode Fuzzy Hash: 6158a3e2d0f4ba48505d558c6217242befb828004b871b779820aea1ac1e88fc
                                              • Instruction Fuzzy Hash: 27F0A73A3092945BC70A2775A81D2ED7F55EBC5634F0401A7DA1587382CF685E4583E5
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83d6b127135c0cf5c0b76815cb55b1fa37df0766606e1421592e6c39311dfae1
                                              • Instruction ID: 0c0d3dba85e8e557c3e06f6dd66dd834715c0188893fd460182d11b95b70ed6c
                                              • Opcode Fuzzy Hash: 83d6b127135c0cf5c0b76815cb55b1fa37df0766606e1421592e6c39311dfae1
                                              • Instruction Fuzzy Hash: B7F020317002149FD710AA5AEC44A6FB7E9EBC9622B00192DE10AC3301DF70BC8287B0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1502107120.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_b8d000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6fcd317b7f65375a04c4e4467f1fdaf03ba9a3362b63332f979298bb0d8e464
                                              • Instruction ID: f7c22e6c842f4d70b8503bbd435fcf2fee2ea91e04efacb91577cab060941be9
                                              • Opcode Fuzzy Hash: e6fcd317b7f65375a04c4e4467f1fdaf03ba9a3362b63332f979298bb0d8e464
                                              • Instruction Fuzzy Hash: 45F04975100A80AFD720CF06CD84D23BBF9EBC5720B198589E84A4B362C631FC02CFA0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e95a0ca38f02fb46637ec5784605000e9e4e4fc8a3f1ec3021aca108a624d704
                                              • Instruction ID: 0ccf8aba9fe9eaf51722a274de04195456be06119cf8017ced850370acb3d677
                                              • Opcode Fuzzy Hash: e95a0ca38f02fb46637ec5784605000e9e4e4fc8a3f1ec3021aca108a624d704
                                              • Instruction Fuzzy Hash: E3F027B57046089BE304BB7AD00579FBBDADFC0714F14816AD6094B389DE366D41C7D0
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd749868fb57396971002f374d0943318619b9ac9fbd9cb79a401cde25934ab8
                                              • Instruction ID: 4a521cca16c9391369cf4f6e6ba598fb8b10e0b7517070a966c73ef21b6c2eea
                                              • Opcode Fuzzy Hash: cd749868fb57396971002f374d0943318619b9ac9fbd9cb79a401cde25934ab8
                                              • Instruction Fuzzy Hash: 9FE0DF2B32939207CB16812A3C100E2FF679AC327034842BBF188CB646CC52AE4943F1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c975f572bde0592bb03ec168d2802c1d909a8f9f7f49f3fbf26cc811d238c8d2
                                              • Instruction ID: 40e76ab14961163a8b1645eef00871dbf8cbb57d39f8fca86eda3f177d28eeb0
                                              • Opcode Fuzzy Hash: c975f572bde0592bb03ec168d2802c1d909a8f9f7f49f3fbf26cc811d238c8d2
                                              • Instruction Fuzzy Hash: EBE0ED357101118F93109B1DD854D66B7EAEFCE61535910A9EA45DB731DA61EC018B90
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7d99d82274ecd9fdbed93b273c2f286d17b2a5f91aa8b932dcb1a66325ad7ca
                                              • Instruction ID: 4083bfcca13b7f54eeccdc9b07db6d289b65cf8972630860555bdf4ad38938d2
                                              • Opcode Fuzzy Hash: b7d99d82274ecd9fdbed93b273c2f286d17b2a5f91aa8b932dcb1a66325ad7ca
                                              • Instruction Fuzzy Hash: 44F06D79A11118EFCB00DBA8EA86D9DFBB2FB48311B158155F905A7351CB32ED15CB40
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd2498659b2651be4ebd364f65654cf7814bfecd44ee8b41ea3755984a45202a
                                              • Instruction ID: 8caa0819dd691d128ed249be8c349381dd6f29003057521bb5425c548d01cfe6
                                              • Opcode Fuzzy Hash: cd2498659b2651be4ebd364f65654cf7814bfecd44ee8b41ea3755984a45202a
                                              • Instruction Fuzzy Hash: 51E04F3A91420E9BCB08BB74E90A5EEFF34FA00311B4001AAD94683680DE306A4ACAD1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3cbe46bda9ea5ad5cc626a8e310aab006b1a8024ac21844e8e8943c105618496
                                              • Instruction ID: acaf6e14d1f3932c4f40a764bdcac1ac4568651ca98c5300f3a819c28d0c5803
                                              • Opcode Fuzzy Hash: 3cbe46bda9ea5ad5cc626a8e310aab006b1a8024ac21844e8e8943c105618496
                                              • Instruction Fuzzy Hash: A3F0ED70A003045BD7649F79D89D79BBBE5FB44320F004469E65EC7340DF39A980CB90
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31ff53277350bd1ffeb4b731184dc9b3034234708ac92a78b52b4ed5fad60821
                                              • Instruction ID: cddee7231137825f22b3e2ef70f8f76e303ebe0e1ef41ab8ad5905fddc2b4201
                                              • Opcode Fuzzy Hash: 31ff53277350bd1ffeb4b731184dc9b3034234708ac92a78b52b4ed5fad60821
                                              • Instruction Fuzzy Hash: 59E04F7AA1820A9BC704EBB4E8465E9FFB4FB04314F004065ED5597741EA31AD55CBD1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e361c5d293e5783fc7c20c86977428ed795cadaec6d111ed19614e44e06f265a
                                              • Instruction ID: 85f79d94db3b184991f457112f40f0cd66fd7ddecbd591ad17f663e53f5126b1
                                              • Opcode Fuzzy Hash: e361c5d293e5783fc7c20c86977428ed795cadaec6d111ed19614e44e06f265a
                                              • Instruction Fuzzy Hash: 37E026353042185BCB0D3B79E80C2AE7A96FBC4B34F04002AE61A83381CF7C190183D9
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ac8e1f06694b75295e109f3bda2860dbb67f59045d0423385a266c4f63779e6
                                              • Instruction ID: bda2be042401ba6dae1df927aedd48e414bbd1adb7858bea48e3ee58d3d819c4
                                              • Opcode Fuzzy Hash: 3ac8e1f06694b75295e109f3bda2860dbb67f59045d0423385a266c4f63779e6
                                              • Instruction Fuzzy Hash: DED09E9272122A1B9A6C71AA1C507BFE5CF8EC55E578901369B09D7641FE51FC0903E1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b28ec44b66f846301e32259e692f83f6ff3ce1e3accabeddc3bfc9c9b122f26
                                              • Instruction ID: 0d82cf1f32e18e98f5b0f5fe116cb829c3c19b7a28f713c66c4214eee512268d
                                              • Opcode Fuzzy Hash: 3b28ec44b66f846301e32259e692f83f6ff3ce1e3accabeddc3bfc9c9b122f26
                                              • Instruction Fuzzy Hash: DCE08635710614078211662EA90155EB6DADEC59B5344406AE11AC7300DE65E90687E6
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                              • Instruction ID: 780cb363cc46ed82b8006d52ba6f2cec9c0ebb4a7e8b67a092ace69f8408b0a9
                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                              • Instruction Fuzzy Hash: 72E08631B2001497CB089699D8108D9F7A6DFCC220F44847ADA0BA7340DAB26916C691
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a650933a640a7b7d6705162f7c75619d6762bb0e8f11f01e29e62225c14a049e
                                              • Instruction ID: 995e966dca0307d436bc73d05f4c3fc538d6adf67b7b7da12143c9fe3845f77c
                                              • Opcode Fuzzy Hash: a650933a640a7b7d6705162f7c75619d6762bb0e8f11f01e29e62225c14a049e
                                              • Instruction Fuzzy Hash: B4E04F70E50209AF8780DFB8994299AFFF4EB59200F5080AAD909D3301EA329A42CFD1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                              • Instruction ID: 6c2fdde2ea52e851d5cb3f9eabbff958cecc28b59433d37acbdc9998b989989c
                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                              • Instruction Fuzzy Hash: F1D04C70D142099F8780DFA9894156DFBF4AB48214B5085AA8919D7211E6715A12CBD1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 30dd58004d4af83352b9431f5619f703dc452f0eacc3bfe52feac69d4111d700
                                              • Instruction ID: b034c599641f9f9d02f19f653a6fd6d3412049fcd9f8053c72c3aed8dbc855c8
                                              • Opcode Fuzzy Hash: 30dd58004d4af83352b9431f5619f703dc452f0eacc3bfe52feac69d4111d700
                                              • Instruction Fuzzy Hash: F0D0673591410D8BDB08ABB5E95B4FDFB74FA14301F4041A9DA0793290EF352A5ACAC5
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2ff9cf5981d7890260a759fc62f403064acfb0a0c4da3f588d5e7c14c910e2f
                                              • Instruction ID: 70c1652f2fcd714579f09b45eaf632252ad2a4b05b738b39d9b3123bdddb75d3
                                              • Opcode Fuzzy Hash: d2ff9cf5981d7890260a759fc62f403064acfb0a0c4da3f588d5e7c14c910e2f
                                              • Instruction Fuzzy Hash: 50D01734A1820E9BCB08EFB4E94686EBBB4FB44300F004169EE0993340EA316901CBC1
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b889d03b7a80429d1983c987d1759dbaf1924dee43112dc54df1e643437877df
                                              • Instruction ID: 53dd7cae720e65fcd0df79366493b6a1dabdc7f00b72721c4d0fc706826b15c1
                                              • Opcode Fuzzy Hash: b889d03b7a80429d1983c987d1759dbaf1924dee43112dc54df1e643437877df
                                              • Instruction Fuzzy Hash: 4ED09E3454E7C45FC7168B78A4588593F655E0312430515DEEC8A9F167C9758449CB16
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0454ecf3a45c845a36e3cb764b97ab16cd85de2939518c2d5304129289679422
                                              • Instruction ID: 4a38d758b4a9712f45d886223c605f73b7b897306b24f1d2aa9ea26df9d074b8
                                              • Opcode Fuzzy Hash: 0454ecf3a45c845a36e3cb764b97ab16cd85de2939518c2d5304129289679422
                                              • Instruction Fuzzy Hash: 04D09239B00218CFDB14DB98E895A9CF371FF84326F518066EA1997350DB32E952CB40
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57f0287bd9392fbbd6d6dbbdaa7d1ca985ed022476c828d15dd91a5901829ff3
                                              • Instruction ID: 0a81f81602518bc416e8e9a6a9517c22a138bca2aa463dc236f02646289598ee
                                              • Opcode Fuzzy Hash: 57f0287bd9392fbbd6d6dbbdaa7d1ca985ed022476c828d15dd91a5901829ff3
                                              • Instruction Fuzzy Hash: 8FC08C2112F3C01FDF0A93300C695932F332A4300030A80DAD082DA853C824440FCB22
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d578fcaa405472d070b341ea69261cf3af01d6fa62b15ce90c3bc4d76e0f48da
                                              • Instruction ID: 14e9957e74cc8407674327b07a1fa46f74305d5d85bac00c224f28ef85ea5ecb
                                              • Opcode Fuzzy Hash: d578fcaa405472d070b341ea69261cf3af01d6fa62b15ce90c3bc4d76e0f48da
                                              • Instruction Fuzzy Hash: FAB092340447088FC398AFB9B4089187769AB4021538128ADEE0E0A2978E36E8C4CA54
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $c`k$4'q$4'q$4'q$4'q$84kl$84kl$pi5k$tPq$tPq$Jnl$Jnl$Jnl$Jnl$Jnl$rml$rml
                                              • API String ID: 0-1316400237
                                              • Opcode ID: 8ec2f1889602073a02013d76b2bd11522d711dd1da005c6cf9fbc865d35b120a
                                              • Instruction ID: 6bb3b1bd3c42bed9f21e55a4d85d8b7d5cac690c676b8545f1b0e03ca2c23a91
                                              • Opcode Fuzzy Hash: 8ec2f1889602073a02013d76b2bd11522d711dd1da005c6cf9fbc865d35b120a
                                              • Instruction Fuzzy Hash: 6AD17B71B0430ADFC7368B6994106EAFBF2AFC6211F1A847BD905CB295DB31D846C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q$cl$cl
                                              • API String ID: 0-3549127322
                                              • Opcode ID: fa0e77ebf48ace4dcffeb925405798ec2fd025977d8d1ff8bef6b657015fff8b
                                              • Instruction ID: ee867ec47e5579f64fc8be1fbbd5af8a9d9ac0a519987274308b888c1c49e523
                                              • Opcode Fuzzy Hash: fa0e77ebf48ace4dcffeb925405798ec2fd025977d8d1ff8bef6b657015fff8b
                                              • Instruction Fuzzy Hash: 40A189B17043458FD73A9B7998017A6BBE1EFC6610F2980ABE855CB2D1CB31DC51C761
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fq$84kl$`Qq$`Qq$tPq$$q$$q$$q$$q$$q
                                              • API String ID: 0-3965770199
                                              • Opcode ID: 5a67952594aaff4d2693e467be7282e302acad3354008a96072ff5ff8b172c41
                                              • Instruction ID: b1343d84393ae847bce3a141d8b6078385e7b777d10ae8f0cb9ab93882d370fe
                                              • Opcode Fuzzy Hash: 5a67952594aaff4d2693e467be7282e302acad3354008a96072ff5ff8b172c41
                                              • Instruction Fuzzy Hash: 8A61B0B0A1420EEFDB3A8E15C5607EA77B2BB45311F2B8095E8019B2D0C735DD90EBA1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ,kAq$,q$0oEp$$q$$q$$q$$q$$q$$q
                                              • API String ID: 0-1341813306
                                              • Opcode ID: 7febf3174896850b6ae99fa84775d37a8862f8bd230c0274cf279de1210b2d44
                                              • Instruction ID: f72880c5dde1b48f9cf48673de08bb0ab8d14ec6c16c8f928f17fbe4769786aa
                                              • Opcode Fuzzy Hash: 7febf3174896850b6ae99fa84775d37a8862f8bd230c0274cf279de1210b2d44
                                              • Instruction Fuzzy Hash: C041EA207202058FE73A6B769C5563CFAA27F8C6113A604BAE156CF371EE95EC41C7D2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ,kAq$0oEp$0oEp$0oEp$`Qq$$q$$q$$q
                                              • API String ID: 0-484348198
                                              • Opcode ID: ca07c2a9a914cdf6347a84c2dbdc438723633ea678edbf08e67bacdc0041dbb3
                                              • Instruction ID: bb9e26ccee0a4aea4e528996ca67e373a7aebe3342fcd517d7c045d36955590a
                                              • Opcode Fuzzy Hash: ca07c2a9a914cdf6347a84c2dbdc438723633ea678edbf08e67bacdc0041dbb3
                                              • Instruction Fuzzy Hash: E0E1B830B202114FE7249F799D5062EF7D69FC9A1076644BBDA06DF3A4EE60EC0287D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: T]k$0Uq$4'q$4'q$XYml$XYml$tPq$tPq
                                              • API String ID: 0-3150255921
                                              • Opcode ID: faedd49b7484a65833669fd918418fe97fa7cbd577835616e33674623743392c
                                              • Instruction ID: 029f7c71c8ddce192d6b958ef57e60d9dce91bc4eb9541c04debaae84f98e4a6
                                              • Opcode Fuzzy Hash: faedd49b7484a65833669fd918418fe97fa7cbd577835616e33674623743392c
                                              • Instruction Fuzzy Hash: 71B12AB1B043958FD735CB6994407AABBA2AFCA211F15C06BDD45CB283DB31DC42C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fq$4'q$4'q$4'q$4'q$rml$rml
                                              • API String ID: 0-1764243331
                                              • Opcode ID: 774859ccc1ec7fee4ae3e953225df3fde6e6b8c4faca5075bbe860c9ecce7fc6
                                              • Instruction ID: 4af0ba5ade5824f901fa029db92ed24c2ca871f447f5b38eb46f8560c63ca20d
                                              • Opcode Fuzzy Hash: 774859ccc1ec7fee4ae3e953225df3fde6e6b8c4faca5075bbe860c9ecce7fc6
                                              • Instruction Fuzzy Hash: 15F138B17043458FD72A9B7894117ABBBA2AFCA311F14C4ABD546CB2D2DB31DC42C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$$q$$q$$q$cl$cl
                                              • API String ID: 0-3173862579
                                              • Opcode ID: 86b74bb13634f56bde929ba143e76e1ad837035e0a9e1cccfd7498c2468e1765
                                              • Instruction ID: d228115878716e817ada859ac671310f43b9dfbcfb284240aea90c108012db65
                                              • Opcode Fuzzy Hash: 86b74bb13634f56bde929ba143e76e1ad837035e0a9e1cccfd7498c2468e1765
                                              • Instruction Fuzzy Hash: 00517BB17043069FD73A4B6988027A6BBE2EFC6211F29806BD465CB2C1DB31D865C792
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tMml$`q$`q$`q$`q
                                              • API String ID: 0-2236247844
                                              • Opcode ID: f88fb91a9e8bec34ad9af4a0c873a9f6cf5a2c9e4f1f2019827ed57129c4559c
                                              • Instruction ID: 1e9333c9f65a445970e9d51ee70f6f36c1d8a082083875bb6c6da9ff95a1954d
                                              • Opcode Fuzzy Hash: f88fb91a9e8bec34ad9af4a0c873a9f6cf5a2c9e4f1f2019827ed57129c4559c
                                              • Instruction Fuzzy Hash: 4BB1A874E003099FDB55DFA9D990A9DFBF2BF88300F14862AE419AB315DB34A905CF91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1506082961.00000000042F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_42f0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tMml$`q$`q$`q$`q
                                              • API String ID: 0-2236247844
                                              • Opcode ID: 12cd6aedac05bcd3d28ab294823393896382c1998ae14a066542c4f0b0bc2cde
                                              • Instruction ID: a4c47db219179bc6c9ff0a8b62deb902ec22fbbaa159021e05092709604c4943
                                              • Opcode Fuzzy Hash: 12cd6aedac05bcd3d28ab294823393896382c1998ae14a066542c4f0b0bc2cde
                                              • Instruction Fuzzy Hash: 02B18674E0021A9FDB54DFA9D990A9DFBF2BF88300F148629E419AB315DB34A905CF91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $q$$q$$q$$q
                                              • API String ID: 0-4102054182
                                              • Opcode ID: 29351678200c9e6f543e1b26bbc0dcdaa6e9086dfca80e22114a16b201db0008
                                              • Instruction ID: 4ed3de43dff6bde1bd5abe5eabab2e2931c8b738780f6a3f3ce3e105e66240b5
                                              • Opcode Fuzzy Hash: 29351678200c9e6f543e1b26bbc0dcdaa6e9086dfca80e22114a16b201db0008
                                              • Instruction Fuzzy Hash: 312149B13103029BE7395B2BA8127A7BB97ABC4711F68802AEA05CB3C1DF75D8118361
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: pi5k$pi5k$Jnl$Jnl
                                              • API String ID: 0-3779286662
                                              • Opcode ID: 94194eafe46f6e1dd6db497018bdb008bfaaa9698b69d51f4c07a2ad8a91b0d2
                                              • Instruction ID: 415c8bb90ec4d9998ab97723b374178dda6e15c517ce96e9030ad826f82cb315
                                              • Opcode Fuzzy Hash: 94194eafe46f6e1dd6db497018bdb008bfaaa9698b69d51f4c07a2ad8a91b0d2
                                              • Instruction Fuzzy Hash: CC2180F1914306DFDB368F19C144AEA77B4FF0A221F0980A6D8548B1B1D735D98CCB61
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: pi5k$pi5k$Jnl$Jnl
                                              • API String ID: 0-3779286662
                                              • Opcode ID: a193a8ed0427e7a534dcc2841f1d74a4f1a2272a3b35d7995b8b819de5820a86
                                              • Instruction ID: 701e8787b3edc6975345658ae3565237fbd327486db9c3bad92e20ffd87454c8
                                              • Opcode Fuzzy Hash: a193a8ed0427e7a534dcc2841f1d74a4f1a2272a3b35d7995b8b819de5820a86
                                              • Instruction Fuzzy Hash: 8F2180F1A14206DFDF36CF19C144AFA77A0FB49321F0980A6D8188B6A0C735D98DCB51
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $q$$q$Jnl$Jnl
                                              • API String ID: 0-793879174
                                              • Opcode ID: 55eb7826d563ff2c1d50499364cbb9468147e802c1e877f3e99fccc367ec7dba
                                              • Instruction ID: ff5f311fe46e7b4ebfcb68b09941ad1d483f0036ba594d17b6c022e190a0a7ce
                                              • Opcode Fuzzy Hash: 55eb7826d563ff2c1d50499364cbb9468147e802c1e877f3e99fccc367ec7dba
                                              • Instruction Fuzzy Hash: 3B01A9B160E3824FD33B86295C201666F72AED752071A42DBD591DF2EBCA348849C3A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000E.00000002.1529311626.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_14_2_71b0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$$q$$q
                                              • API String ID: 0-3199993180
                                              • Opcode ID: 814fe7adbac70b8d3c4671c70dd512388ace37b7d33d6852790af05d3d76bfed
                                              • Instruction ID: 7e412109f3dfd0b7e0d8dcc3fdf4a487edb59d281e5b0bf1a5ee759cce823b0a
                                              • Opcode Fuzzy Hash: 814fe7adbac70b8d3c4671c70dd512388ace37b7d33d6852790af05d3d76bfed
                                              • Instruction Fuzzy Hash: 0B01A72070D3964FC33B576968241967FB29FC751076E40DBD482DB2A7CE148D09C767
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b8272e231bb67d34bb42254923c28940d6653959e7da85d168cb854da767cda9
                                              • Instruction ID: ba3a8ca8c3a32dad1d26054eea39d1d263dc9a14fe34ba7945486c28be799bc6
                                              • Opcode Fuzzy Hash: b8272e231bb67d34bb42254923c28940d6653959e7da85d168cb854da767cda9
                                              • Instruction Fuzzy Hash: 4A914274F007185BDB19EFB5845066EBBF2EF84700B00892DD516AB388DF74AE058BD5
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cc8d64e4e83e5a39451464b87e7d11106d6c332aea03efb34c7d1bec833144b
                                              • Instruction ID: 4645d506836c1d8174c08853542a1834d7aa65dcd8f16cb779f7590d753b4c80
                                              • Opcode Fuzzy Hash: 6cc8d64e4e83e5a39451464b87e7d11106d6c332aea03efb34c7d1bec833144b
                                              • Instruction Fuzzy Hash: BA913374F007185BDB19EFB5845066EBBE2EFC4700B40892DD516AB388DF78AE058BD5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$4'q$4'q
                                              • API String ID: 0-4210068417
                                              • Opcode ID: f1a1d0bd98fdfc17ad74641119f826a5c39dd0f2bc18252a0083d0851d7b070e
                                              • Instruction ID: fb20943d98d04abda3e9d88625652d1f37df285f2624882bc2ead084db0c313e
                                              • Opcode Fuzzy Hash: f1a1d0bd98fdfc17ad74641119f826a5c39dd0f2bc18252a0083d0851d7b070e
                                              • Instruction Fuzzy Hash: 8C1258F1B043428FEB258B68941176ABBF2EFC1210F1880FAD941DB291DB31DC52DBA5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: pi5k$Jnl
                                              • API String ID: 0-845687747
                                              • Opcode ID: 1eec6ca64181baed246f36018be614dbd36c4958f9f2beabaa41ac41f4f3ba18
                                              • Instruction ID: 011123b1b90ce8d15005baba685c218e2221f9865a785e5b178898dbc658a93b
                                              • Opcode Fuzzy Hash: 1eec6ca64181baed246f36018be614dbd36c4958f9f2beabaa41ac41f4f3ba18
                                              • Instruction Fuzzy Hash: B231D235E00215DFCB24DF79D894A9DBBF2FF48205F188529E415AB384CB70AC05CB91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: pi5k$Jnl
                                              • API String ID: 0-845687747
                                              • Opcode ID: 689128d7ac7cac6e8f2f8c7bb7667ef8064ed434721bbbf4d921c3003e5f4617
                                              • Instruction ID: de9c74e0f858e687e5a4a7961523133e00571a077aead642fe15c60718aa0096
                                              • Opcode Fuzzy Hash: 689128d7ac7cac6e8f2f8c7bb7667ef8064ed434721bbbf4d921c3003e5f4617
                                              • Instruction Fuzzy Hash: 0B316D34A00615DFCB24DF79E994A9EBBF2FF48205F14C529E416AB394DB30AD05CB91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (q
                                              • API String ID: 0-2414175341
                                              • Opcode ID: b65c0f3d24a5c2f72cc178dd956c609ddd6d73d64aba2fc727df14222a90e17d
                                              • Instruction ID: 4a66ba6e6066ed72e554533c802e1c769a88a81bf886e94b9f954a8e4468e517
                                              • Opcode Fuzzy Hash: b65c0f3d24a5c2f72cc178dd956c609ddd6d73d64aba2fc727df14222a90e17d
                                              • Instruction Fuzzy Hash: 76416C34B042158FDB18DB64C898AAEBBF1EF8D715F188099E402EB391DB35DC02CB61
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (&q
                                              • API String ID: 0-583763264
                                              • Opcode ID: 5e5b251daf722f6cfc56babef7f39e6055954849d1d06d1beb16b480cfc4752d
                                              • Instruction ID: a4b1b6345571363632d1aa9f151f69dec82aff90c13ef5393b41b5cb19c1a7e6
                                              • Opcode Fuzzy Hash: 5e5b251daf722f6cfc56babef7f39e6055954849d1d06d1beb16b480cfc4752d
                                              • Instruction Fuzzy Hash: AE21B275E043588FCB25DFAAE840B9EFBF5EF89220F14846AD418E7340CB7599058BA5
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4c274923a7c39f1b3daa6e6bc942b4e747481011e4db020a9d7678f09cc67e2
                                              • Instruction ID: 18455ca3d7b4ddaecc50265cf1b9bcbfee952cd670c2fccd2ef1897a99935bb5
                                              • Opcode Fuzzy Hash: a4c274923a7c39f1b3daa6e6bc942b4e747481011e4db020a9d7678f09cc67e2
                                              • Instruction Fuzzy Hash: 00B109B2B003069FEB259F6988017AE7BE1FF89211F1480FAF545DB251DA31DC41E7A6
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ddebb79c705537e776d79c74225782be0f6be991b5ba7c4ac1085f50022dc2b
                                              • Instruction ID: 2660b0941295b0472f8fb370a4a39d88590fffd378e305cca641e3108f14c11a
                                              • Opcode Fuzzy Hash: 5ddebb79c705537e776d79c74225782be0f6be991b5ba7c4ac1085f50022dc2b
                                              • Instruction Fuzzy Hash: 67918E74A006158FCB15DF58C4D4AAEFBB5FF48310B288699D815EB3A5C736EC92CB90
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37dee2f5fc2a2bf2e350353904a98723d7039ce06abb7e266b43c60e3c8f1774
                                              • Instruction ID: eacd205d81f09fe64dda581b11ec1db943f7252572a1605c5f71460fb5cbcdcf
                                              • Opcode Fuzzy Hash: 37dee2f5fc2a2bf2e350353904a98723d7039ce06abb7e266b43c60e3c8f1774
                                              • Instruction Fuzzy Hash: BA51F2343043119FD714DB75DC85A2A7BEAFFC9215B2944AAE509CB391DB31DC01CBA0
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4014daba018301be8ef1c220d994eee03ab01656e402c9ec6c875a58e905b565
                                              • Instruction ID: 9b7d1080adc80e57d1756bd3a7edae3ab1fb1450a2ac944b2cf11a902961c120
                                              • Opcode Fuzzy Hash: 4014daba018301be8ef1c220d994eee03ab01656e402c9ec6c875a58e905b565
                                              • Instruction Fuzzy Hash: F9612675E042189FCB15DFA9D884B9DFBF5EF88310F18816AE809AB354DB709C41CB60
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bdd5a385db8bccd4f25fa8defbc69a9287945b26f154efc88a760e31c58cfe6
                                              • Instruction ID: a64a4f5febf5859338d14cb53aa05e03b5164931272c75520bba1c09b6994b63
                                              • Opcode Fuzzy Hash: 4bdd5a385db8bccd4f25fa8defbc69a9287945b26f154efc88a760e31c58cfe6
                                              • Instruction Fuzzy Hash: A2512575E042589FCB15CFA9D884B9DFBF5EF88310F18816AE819AB364DB709845CB60
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd865bcc1342e26f8ed2c41f1a88f13fb2eac3cb4e0a581d0f2bb019e7fc295c
                                              • Instruction ID: 2966c493fb77725e166ad80211365260191f3e5a23ee11ccd2bf928f740066a1
                                              • Opcode Fuzzy Hash: fd865bcc1342e26f8ed2c41f1a88f13fb2eac3cb4e0a581d0f2bb019e7fc295c
                                              • Instruction Fuzzy Hash: 1A515034B003058FDB20DB78D8C4D6A7BE6EF8821575985A8E859CF395EB74EC028F51
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59f687fa5e533e8ff2c81d4cd52b014fb7944460fa904ff4a453dc5dab2a7b56
                                              • Instruction ID: 8382f2878654ac13629bdc92600b1a137bfe01ea075f6d569076c49b42e46312
                                              • Opcode Fuzzy Hash: 59f687fa5e533e8ff2c81d4cd52b014fb7944460fa904ff4a453dc5dab2a7b56
                                              • Instruction Fuzzy Hash: 0B418F7540E3E28FD7079B68D8A46D6BF74AF07224F1A45C7C091CB1E3D626590AC762
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1b3538d12080d5cede257b69176ec79d975b30a3dbbbd23f43baa17a4be3ef32
                                              • Instruction ID: 04ed3d28bd00256c6edf28462e271f0d3f2d1969324d7a9518c0f8ad2882378e
                                              • Opcode Fuzzy Hash: 1b3538d12080d5cede257b69176ec79d975b30a3dbbbd23f43baa17a4be3ef32
                                              • Instruction Fuzzy Hash: E7413D34B003058FDB20DB68D9C4D6AB7E6EFC821575585A8E819CF395EB34EC028FA1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32012e8121e2148dcd21f05c2d1be208e0597bce599a7c236da7f0794ea0e53b
                                              • Instruction ID: d00a6f59283f6c85ef64427c1507b2c590234c8b864c55be6debf36e1c6e07bc
                                              • Opcode Fuzzy Hash: 32012e8121e2148dcd21f05c2d1be208e0597bce599a7c236da7f0794ea0e53b
                                              • Instruction Fuzzy Hash: 1041E4F1A11202DFEF25CF688511A667BF2EF80204B1D80D9D900AB295D735EC41D7A9
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 884ab39accfc702b2905bb1049f5d24d537a26d6bb452a25f8b38ac5bd37d107
                                              • Instruction ID: 268253baac0bda3b2073c64808ef42253ab8125be2fb755b900dba220055727f
                                              • Opcode Fuzzy Hash: 884ab39accfc702b2905bb1049f5d24d537a26d6bb452a25f8b38ac5bd37d107
                                              • Instruction Fuzzy Hash: 97414974A006158FCB15DF58C4D8AAAFBB6FF48310B158599D819AB3A4C736EC91CBA0
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ff582af6bc4a593a04b17c674ebcffa117c40e13de712bcce63f1102786254e9
                                              • Instruction ID: 5ad1bb72c350d55a217c1be55f3c690c26993680edc9dcdf59abc5c8c2f7477d
                                              • Opcode Fuzzy Hash: ff582af6bc4a593a04b17c674ebcffa117c40e13de712bcce63f1102786254e9
                                              • Instruction Fuzzy Hash: 3431BE393007109FD715DB78D880B9EBB96EFC4211F048639E60ACB395DFB0A806CBA1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6d855ab3524b2344b03ee964ab5a46045288744be6b2ebf729cade0f4c921e54
                                              • Instruction ID: 06f53252d80035b5bdf49509161a2031c1c4312b7ede062fef2a1692e9979ba3
                                              • Opcode Fuzzy Hash: 6d855ab3524b2344b03ee964ab5a46045288744be6b2ebf729cade0f4c921e54
                                              • Instruction Fuzzy Hash: CC312D34B042158FDB15DF69D898AAEBBF1AF8D715F1890A8E402EB395DB35DC01CB60
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd153a90bc9ae646fe8953525e37a4a774b0d984e8e4106ef23bad057a7b5006
                                              • Instruction ID: b6bbaae5f330b773f6786fc545adabda726020146aa1cacc71487d723077eeac
                                              • Opcode Fuzzy Hash: dd153a90bc9ae646fe8953525e37a4a774b0d984e8e4106ef23bad057a7b5006
                                              • Instruction Fuzzy Hash: 70319474E006199FDB14DFB9C8947AEBBF6EFC8211F148029E505EB394EB749C428B90
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ebc5a47e2552f5e363aa5575943921bd2a656a7f13fb0f6fa9e5b645ef4cbfdc
                                              • Instruction ID: aefecdf94ef56338c93bef76676a3f834f883fb265b45286c2d0d5f6c62f44b4
                                              • Opcode Fuzzy Hash: ebc5a47e2552f5e363aa5575943921bd2a656a7f13fb0f6fa9e5b645ef4cbfdc
                                              • Instruction Fuzzy Hash: 4A313C34B003058FDB20DF78D994A6EB7E6EF88215B1585A8E819CF395EB34ED028F51
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb1b0a0b7851926b900ff4dedf1dc8744cccb1cc29c9d87799c699c578f79333
                                              • Instruction ID: 784770b9ad6b49e2a54c331a488c278f1462d3d71561c7fecd144663f41965cb
                                              • Opcode Fuzzy Hash: bb1b0a0b7851926b900ff4dedf1dc8744cccb1cc29c9d87799c699c578f79333
                                              • Instruction Fuzzy Hash: 783192B8E003099FDB01DBA4D894AAF7BB6EF89300F1584A9D211AF395DB34DD01CB51
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ce288fe54498e16ff62243719744fbfa797027ef3bc6c612f70b7e5507f50cde
                                              • Instruction ID: 2c5ae920dc601c37dfccd4eff4da38b8a7ff98415c799cfe3795606c1f9ccafb
                                              • Opcode Fuzzy Hash: ce288fe54498e16ff62243719744fbfa797027ef3bc6c612f70b7e5507f50cde
                                              • Instruction Fuzzy Hash: DF319334A003159FCB24DF69D8986AEBBF2FF8C215F048469D406EB394DB359C85CB91
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1fd4c0453243d78801a66d3d7e3f01dfe8fe18b39c42812a15c48b1fb6b9ace
                                              • Instruction ID: 1f2bda9a0c952fdacd198a2b42751a43f528a31f1ca7e4d8038e8a20862a8a97
                                              • Opcode Fuzzy Hash: b1fd4c0453243d78801a66d3d7e3f01dfe8fe18b39c42812a15c48b1fb6b9ace
                                              • Instruction Fuzzy Hash: 06315074E006199FDB15DFA9D4947AEBBF6EFC8301F148029E505EB394EB748C428B60
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e96964c29f4e3942d58fbe90c0a96a8a3b88e873b9db41e2f98db560e5a76ac8
                                              • Instruction ID: 1eeb59928605ed51e40bf7f854fcd110fa55af62ad2d7b223717b7952d970e2e
                                              • Opcode Fuzzy Hash: e96964c29f4e3942d58fbe90c0a96a8a3b88e873b9db41e2f98db560e5a76ac8
                                              • Instruction Fuzzy Hash: 06219AF6600206DFEF258E99C544AF977A1FF45221F0480EAF9158B251C735DC45FB62
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 22368a79c503c6eccbbff80b31b542e5bb57a6647d123ba0f72e3baaf712414d
                                              • Instruction ID: b6afe1bc9ee3be1554e749793533b2eacef4daae73916bfba37ba7f3de9868ab
                                              • Opcode Fuzzy Hash: 22368a79c503c6eccbbff80b31b542e5bb57a6647d123ba0f72e3baaf712414d
                                              • Instruction Fuzzy Hash: 4831BE759053848EDB60CF2AD48878AFFF6EF88310F28C45DD4599B285C7786481CF61
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 606f1186c1348cc5eb9e8ebe481ffb63c5297b9ff37513ee40948ec9a3318b3e
                                              • Instruction ID: 6d42dc35db373b6a821fa7957ae31d319bc6d344cfeb03e1b5ca0492dd9337bc
                                              • Opcode Fuzzy Hash: 606f1186c1348cc5eb9e8ebe481ffb63c5297b9ff37513ee40948ec9a3318b3e
                                              • Instruction Fuzzy Hash: 402189F5A10216EFEB218E69C544BE97BE1FF45221F0480EAF8089B250D334DD84FBA1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e07db2245c8871ab9ae4d497b7f00491a97e8753ea2366ce0e7dee35da78b1a0
                                              • Instruction ID: 6aae4bdb15a70ba5486697a6e9503141bd7f75d207078e0c5a3d818c37e4c136
                                              • Opcode Fuzzy Hash: e07db2245c8871ab9ae4d497b7f00491a97e8753ea2366ce0e7dee35da78b1a0
                                              • Instruction Fuzzy Hash: 03312F34A003149FCB24DF69D458A9EBBF2FF8C214F148569D406EB394DB75AC45CB91
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af58cb3404c9e8af81c4800021b5e2abded8f0f5f158250e0d4b83b922455b90
                                              • Instruction ID: e9d481323a5d24b8c7a5d758d857b4767937de915fb71357348ecd3418ac079f
                                              • Opcode Fuzzy Hash: af58cb3404c9e8af81c4800021b5e2abded8f0f5f158250e0d4b83b922455b90
                                              • Instruction Fuzzy Hash: 513130B8E007099FDB04EFA4D855AAEB7B6EF89300F108869D615AF394DB75DD018F50
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1561275222.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_31fd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8428c4e04c44abe4a97d45445b3402cb8036ead83b01d0517052739534099d45
                                              • Instruction ID: 6ef100c0f72386f9c3a61475ce9b30722f4229d04b04e1c74b3d578f7a171738
                                              • Opcode Fuzzy Hash: 8428c4e04c44abe4a97d45445b3402cb8036ead83b01d0517052739534099d45
                                              • Instruction Fuzzy Hash: 4C21E276608700EFDB19DF10D9C0B16BB65FB88314F24C5A9EA490A256C376D457CBA1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1561275222.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_31fd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d17ec28873b3b8f9dde1a8e24629d7563821d75f28085b4fa5867d52dec1c91c
                                              • Instruction ID: ec039c524362ed9b41d55c10fa8d2d8f5444faf4583aff80708fd29c9469816d
                                              • Opcode Fuzzy Hash: d17ec28873b3b8f9dde1a8e24629d7563821d75f28085b4fa5867d52dec1c91c
                                              • Instruction Fuzzy Hash: 35213775604300DFDB14DF10D9C4B16BB66EB88324F24C5ADDA094B282C3B6D447CA61
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ce7050a90b19793af3e53af0c5b4e01c2c5585a014bf8b3da4bb5286f35790a4
                                              • Instruction ID: f33c531e33f580cddad5dd00cb944f7237ccf349e2f2620de41042c7be8b5351
                                              • Opcode Fuzzy Hash: ce7050a90b19793af3e53af0c5b4e01c2c5585a014bf8b3da4bb5286f35790a4
                                              • Instruction Fuzzy Hash: B1219A75D057448FDB60CF6AC48838AFBF6EB88310F28C42ED81D97285CB7864818F60
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02c820faf3dd8a6c0a814daff61e69e2ac177d4af1b6d0822c7e734836922f09
                                              • Instruction ID: 11ad516f7ab6ee6b3df56b5ed89e5935aa652b407a86d5396dba843f45f445b6
                                              • Opcode Fuzzy Hash: 02c820faf3dd8a6c0a814daff61e69e2ac177d4af1b6d0822c7e734836922f09
                                              • Instruction Fuzzy Hash: 53111239B002288FDF14DBA8E840ADD77F6FBCC225B1440A5E909DB355DB31DD128B90
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1561275222.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_31fd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                              • Instruction ID: e7b11422453fa9184dc2dc0fe8fb3dde868df286f649b3b5bd4ae9a9ea3e2632
                                              • Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                              • Instruction Fuzzy Hash: E421AC76504640DFCB06CF10D9C0B16BF72FB88314F28C5A9DA494A666C33AD46ACF91
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a68cc317c6874ec4b930eec2972ff11b123dab52e879329dac252825c4085653
                                              • Instruction ID: 925cb76c907aa397225532e2e166724443bb5ac1dce162d49be13633c5cf5316
                                              • Opcode Fuzzy Hash: a68cc317c6874ec4b930eec2972ff11b123dab52e879329dac252825c4085653
                                              • Instruction Fuzzy Hash: C711A1316083549FD726DF75D894A6ABFE5EF45250F1884EEE08EC76B2DA20E846C700
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1561275222.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_31fd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
                                              • Instruction ID: 70a2bc2c4e1be0fba2b1930068038c2ac63092edf85b0d189abef7be44aa09ea
                                              • Opcode Fuzzy Hash: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
                                              • Instruction Fuzzy Hash: 0C118B79604280DFCB15CF14D5C4B15BFA2FB88324F28C6AAD9494B696C37AD44BCB61
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2c56ed70690232b3164816b9c1ffb424137cc508f423622a9f72993a03c7c15
                                              • Instruction ID: 8bfb56dbe13daa158a0f110cce9ade3a65b9e7d536a39b6b43010b8e0b6e133e
                                              • Opcode Fuzzy Hash: f2c56ed70690232b3164816b9c1ffb424137cc508f423622a9f72993a03c7c15
                                              • Instruction Fuzzy Hash: 24014931E042649FCB25D768D8885FDBBB59FC8210F0C806AD8059B7D1CA715C0287E0
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6a01dbd73471e8ec62d846e4e498e7fe26b2d5a882421892f40a1be05755bde
                                              • Instruction ID: 98dcbd7e71765223a96cc38db60e90d8588f2ddbb99de1a49904927ed228d9b0
                                              • Opcode Fuzzy Hash: a6a01dbd73471e8ec62d846e4e498e7fe26b2d5a882421892f40a1be05755bde
                                              • Instruction Fuzzy Hash: B9113935204750CFC728DF75D480866BBF6EF8921532089ADD08A87BA0CB36F845CB50
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c989418ff71c532b4fb267d78f336ebe7ab5d25d7c8ec4cee1b8b824cbb77bb0
                                              • Instruction ID: 7499c611fb90acd946ef9126ee7133a70807a9a07f10c2cdbc132acd90a89f02
                                              • Opcode Fuzzy Hash: c989418ff71c532b4fb267d78f336ebe7ab5d25d7c8ec4cee1b8b824cbb77bb0
                                              • Instruction Fuzzy Hash: 13019235B00214CFCB159B74E808AAEBBF5FB88315F04406DE51AD3342DB729901CB90
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6d01d321a6764b47ce27c166471b4df1ee13629195e204592c278b2e44f3ed5
                                              • Instruction ID: af8151422bd0025c698f7e6d7c77fc8731a84793271d1f69c861f947a4530f36
                                              • Opcode Fuzzy Hash: e6d01d321a6764b47ce27c166471b4df1ee13629195e204592c278b2e44f3ed5
                                              • Instruction Fuzzy Hash: 1FF0283570D3A06FD7128AB95C909BBBFE8DF8625070841ABF844C73A2C670CC048B60
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 00330417c03c7b79ae19b00fb8ddb2397b20f95fc758e4068b73ca91822d1fa7
                                              • Instruction ID: 1e62f5a3c024f2dc9c6c33ddcfcddd85f0b4d8797b2556cb31993c246376d2d7
                                              • Opcode Fuzzy Hash: 00330417c03c7b79ae19b00fb8ddb2397b20f95fc758e4068b73ca91822d1fa7
                                              • Instruction Fuzzy Hash: 7FF0463A6407746FCB22E349AC408EE7B6DDEC92F23080097E419CB681DB60890543F2
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1561275222.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_31fd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7a78a9e102608f8a4080ef12d52d2bd158c72ae5d7754ce56b9707c551ecd14b
                                              • Instruction ID: 7d2bfd763c3bfaf11631f74d71211f8cb5359fe68dfc8f260dd6fd220f9d4a5d
                                              • Opcode Fuzzy Hash: 7a78a9e102608f8a4080ef12d52d2bd158c72ae5d7754ce56b9707c551ecd14b
                                              • Instruction Fuzzy Hash: CA01F7714043409FE724CA11EC84B77FF9CDF49265F18C15ADE480B186C7789885CAB1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1561275222.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_31fd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ecfba99a17c447ffff9f1275dfb82ae81debf90d1f006b7db7e9347d253aa793
                                              • Instruction ID: 7fee34f98c6cd60d602723b1379926c902cb61acad5f7469cfdcbe330d644479
                                              • Opcode Fuzzy Hash: ecfba99a17c447ffff9f1275dfb82ae81debf90d1f006b7db7e9347d253aa793
                                              • Instruction Fuzzy Hash: 1C01407100E3C09FD7128B259894B62BFB8DF47224F1D81DBD9888F1A7C2695848C772
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf0b44226b162cc76993609f6866bd199817883927542cad3d5d4c5b4f6105b6
                                              • Instruction ID: dd00d89fc63cb38423c0625246a691b2531ccb4e3f5dd782ec709c60e3a2be44
                                              • Opcode Fuzzy Hash: bf0b44226b162cc76993609f6866bd199817883927542cad3d5d4c5b4f6105b6
                                              • Instruction Fuzzy Hash: 47017B76A087109FD712DB3488543EA7F61EBC2210F4881ABC1158B38ACF3C5806C7E1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 184fcfd689e0f3f6e41cc2d874656ad5fd14928fca55b1e671a5de8beb0bb38b
                                              • Instruction ID: d54f981be46d7dcafb1a4dca3c12151896ec149d60bbdbed311ba52f77341b7c
                                              • Opcode Fuzzy Hash: 184fcfd689e0f3f6e41cc2d874656ad5fd14928fca55b1e671a5de8beb0bb38b
                                              • Instruction Fuzzy Hash: 5DF0F63560A3549FC712D7689C449AF7BE5EF89121704059EE149CB391DF309C45C361
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1561275222.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_31fd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60ad3e4541915d9db53392fc03d3c829200b69d041c42a55e834d470282cd964
                                              • Instruction ID: f7a10431282ce94f3f5d9a633c7b3bb4f0d05110dc3b95db55efcb0176fda540
                                              • Opcode Fuzzy Hash: 60ad3e4541915d9db53392fc03d3c829200b69d041c42a55e834d470282cd964
                                              • Instruction Fuzzy Hash: 47F0F976600600AFD724CF0ADD85C23FBADEBD4670719C55AE94A4B612C771EC41CEA0
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a380443ca9fe4037f94e52dcb16acbb3f0d4212ed56b07104c4bf79c3a43d2f3
                                              • Instruction ID: 791dcbba2072e4c1d1a3ea211722dd12b50ed05a29a2ddce7f359907a8f8576f
                                              • Opcode Fuzzy Hash: a380443ca9fe4037f94e52dcb16acbb3f0d4212ed56b07104c4bf79c3a43d2f3
                                              • Instruction Fuzzy Hash: 17F082393042508FC710DB2DE8D8866BBF9DFDA61531910E9E584CF776DA61DC12CB90
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b79294b84abf0ea3dc3bbe4a6c9cc8a01687544823bf895995bdbe55b791a89
                                              • Instruction ID: 2c8874864b922c046f121276b8b9f4e7a678e96e35e3b497a1f734f605ace250
                                              • Opcode Fuzzy Hash: 5b79294b84abf0ea3dc3bbe4a6c9cc8a01687544823bf895995bdbe55b791a89
                                              • Instruction Fuzzy Hash: 13F0B4759053145FD760CB78D89C39A7FE4EB06310F04845ED15DC7282DB39A840C790
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 029784a416e483155f5c581e21a3e10613d21a24af748dcc9acdb0886ed2a198
                                              • Instruction ID: cc7898344b49dbce1e24b3d92daf061721210d2207d12e397006b0ae919d791c
                                              • Opcode Fuzzy Hash: 029784a416e483155f5c581e21a3e10613d21a24af748dcc9acdb0886ed2a198
                                              • Instruction Fuzzy Hash: E9F0A735700714AFD710DA59E88497F77E9EB88261B00052DE10EC7750DF30AD0287A4
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1561275222.00000000031FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031FD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_31fd000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9be9bcac3b0cd24f6357ade2bb5ed4869d69405e3f188329fc5b6cd5c551161
                                              • Instruction ID: cadb4ed92a031afba1af0f42e1ef073cf1dc80ff8ee938ee39109aaf82c0a1c8
                                              • Opcode Fuzzy Hash: f9be9bcac3b0cd24f6357ade2bb5ed4869d69405e3f188329fc5b6cd5c551161
                                              • Instruction Fuzzy Hash: F9F0F975500A80AFD725CF06CD85D23BBB9EB89660B1A8499E85A4B712C771FC42CFA0
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e049823bb12acc7e0c7bec857908e1c95f960917b498e435165c41ce6f637abe
                                              • Instruction ID: 9fd342841dab79a7315e0f06b261d3241e81ffdcc55aae3fea5d41414fc4927d
                                              • Opcode Fuzzy Hash: e049823bb12acc7e0c7bec857908e1c95f960917b498e435165c41ce6f637abe
                                              • Instruction Fuzzy Hash: 5FF02779A047148BD704AF69D04479BBBA6EBC4314F10812AC6294B388CE396801C7F0
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20ebfe17490d6c67e9793a20200c8b36b9e5f8827e7ff8b8023d92e541c5baf5
                                              • Instruction ID: 582de0911e4e3b4572135a70a86c71ae1d069abffa0c786089ebd00a9a8a0b30
                                              • Opcode Fuzzy Hash: 20ebfe17490d6c67e9793a20200c8b36b9e5f8827e7ff8b8023d92e541c5baf5
                                              • Instruction Fuzzy Hash: 67F0E5397002248FCB10EB6CEC40A9ABBE6EBCC65571941A5F909CF351DF30DC028B90
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9fd76b2f784630f13fb7f2d6c8a0b98d64ecba0da724346899f0a6861b0c123c
                                              • Instruction ID: d9ec8d685c977c7d1b6b35d9fbc8b81b4447a393db8b7d8ab9665d9502907b1f
                                              • Opcode Fuzzy Hash: 9fd76b2f784630f13fb7f2d6c8a0b98d64ecba0da724346899f0a6861b0c123c
                                              • Instruction Fuzzy Hash: 25E09226F053781A8E24D2B94D903BAA5CD8AC7961B4C02B68529DB2C2ED09CC0283B1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 583c02d8096fe2028338f45e7ce71db8b7a79e750b11484dbd2521f625c20733
                                              • Instruction ID: fa639a68e8cd2a946d559db26b9a48de159519bbed6932fb081e5b72077ba07c
                                              • Opcode Fuzzy Hash: 583c02d8096fe2028338f45e7ce71db8b7a79e750b11484dbd2521f625c20733
                                              • Instruction Fuzzy Hash: 09E0ED357001118F8214DB5DD498D66B7EAEFDE66531900A9E945CB375DA61DC018B90
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 95022e22d547bdb4781df53358a042a5b501e9400859cc5b262bb0d7accc2714
                                              • Instruction ID: b220333aff29e960f78d94b292d7e8181b3f5a2571e31bbe3430b70cb09f500e
                                              • Opcode Fuzzy Hash: 95022e22d547bdb4781df53358a042a5b501e9400859cc5b262bb0d7accc2714
                                              • Instruction Fuzzy Hash: 4EE09265B083B1178B2AC26A2C90076AFA74EC352070D46F7A140CB2C6D81188034350
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2b225110a4c8601eb82434837e693e4967508bd6a8b8dfe44f261d914edf2a3
                                              • Instruction ID: c81bce460c2a4d3f01f0480708b028370747bef27d1814f32fbbd11ca39a5310
                                              • Opcode Fuzzy Hash: d2b225110a4c8601eb82434837e693e4967508bd6a8b8dfe44f261d914edf2a3
                                              • Instruction Fuzzy Hash: 4BE0D839714714ABCB096B75A40C2AF7E56EBC4721F00402EE61A87346CFB55902C3D5
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5185704a535d5358b60db90ad43a1d729dd84fe41c99a04820027cc66532cfae
                                              • Instruction ID: 76cdf14794ca05cbb44d7689ba76df0bc3818790825097000b6dc42bed6ad52b
                                              • Opcode Fuzzy Hash: 5185704a535d5358b60db90ad43a1d729dd84fe41c99a04820027cc66532cfae
                                              • Instruction Fuzzy Hash: FFF06D749003048FD764DB78D89C39BBBE9EB44310F00482DD21EC7281DF39A880CB90
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4504503d3e0955bfe7e419aec1713cbdacdf95eb4672fad355a43c688f8c7c31
                                              • Instruction ID: a345aa9e653ec9aa4aa5150def81dbee88f778dd72f3ae7e840bc43e52085c4c
                                              • Opcode Fuzzy Hash: 4504503d3e0955bfe7e419aec1713cbdacdf95eb4672fad355a43c688f8c7c31
                                              • Instruction Fuzzy Hash: 79E0D835C142298BCF15EBB4D8894BD7F34EA01701F0441EDE553951C6DA71558ACBC1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31e4ce565a0c5c0a04c6a1c8b20e0627e168d0247cf42a7fa1886b638ce79f9b
                                              • Instruction ID: b70362e0138d72b27d60b4e81ee385a0990abc7876993aa6a323256d15b426aa
                                              • Opcode Fuzzy Hash: 31e4ce565a0c5c0a04c6a1c8b20e0627e168d0247cf42a7fa1886b638ce79f9b
                                              • Instruction Fuzzy Hash: EEE026397047109BCB0C7B79A40C2AF7A96EBC4720F00402ED71A87386CFB85C0283E5
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86543532f49755f3e46380b91c8704f53f404c6c267a721052014af13918349f
                                              • Instruction ID: f3990156e789c822aa33a75c10b5fe6788a50d10b8db6671d2f24ba1e368a0a1
                                              • Opcode Fuzzy Hash: 86543532f49755f3e46380b91c8704f53f404c6c267a721052014af13918349f
                                              • Instruction Fuzzy Hash: BAD09E66F022791B4E64A2AA5D907BBE1CECAC6CA174901769A15DF2C5ED44CC0643F1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3159150b6b704197db780b303cdce6d0f8a56d3fe578bbc2b63a46b161d69b96
                                              • Instruction ID: 2fa42cb515e7cdf759157178095b1906b122e5759a59df5a2c06f4f737bdbfd7
                                              • Opcode Fuzzy Hash: 3159150b6b704197db780b303cdce6d0f8a56d3fe578bbc2b63a46b161d69b96
                                              • Instruction Fuzzy Hash: 59E0D830D1834A5BC714DF64D88656D7FB4DB55706F048068ED459B38ADA315841CBC1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 095fcc6194f04dc3d86c67b75f9ef9d07cba81f2a1b51a058b2644db5842d63f
                                              • Instruction ID: 38c7db2894c981fd0db4775f619bba131efc26786233bfc24f9f438c88c88ec3
                                              • Opcode Fuzzy Hash: 095fcc6194f04dc3d86c67b75f9ef9d07cba81f2a1b51a058b2644db5842d63f
                                              • Instruction Fuzzy Hash: 13E0C239700B240B8326A71EA80089F77EFDEC95F1308842EE059CB340DFA4EC0647E6
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                              • Instruction ID: 17fbb8a06a182bd534e9c5064219ae0dc66fca90f10ad224a768ff1b7b499081
                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                              • Instruction Fuzzy Hash: 3BE08631B000149B8B08D699D4545EDF7A9DBCC220F04847ED90AA7790DA32691686E1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfcc7897b10a15ce6cf9a7d449ca398722e200f16ff4003de95c543bfca42376
                                              • Instruction ID: 5b07a49d43fbf5236664df5b22c958459c59c745a51f2c1673e46b82dc3ea205
                                              • Opcode Fuzzy Hash: cfcc7897b10a15ce6cf9a7d449ca398722e200f16ff4003de95c543bfca42376
                                              • Instruction Fuzzy Hash: B6E01A70E0014A8FCB80EFBC8881599FFF0EB49200B1586AEC949D7201E7328612CB81
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                              • Instruction ID: 3ae00c5f8ee80ac0ac3ce97696e1dd73c06362b90f4496664993e10516377028
                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                              • Instruction Fuzzy Hash: 39D067B0D042199F8780EFADC94156EFBF4EB48204F6085AA891DE7341E7729A12CBD1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6b9e59f8986fc64080c9500d5fe2e32793f0f739189ff9ef636f16de39c39c0
                                              • Instruction ID: 5a8f428e94cc6ea4471463961297651569055868ae85d3fd60639b76a953301c
                                              • Opcode Fuzzy Hash: c6b9e59f8986fc64080c9500d5fe2e32793f0f739189ff9ef636f16de39c39c0
                                              • Instruction Fuzzy Hash: 06D01735C142098BCB08EBA4E85A4BDBB34FA00302F41816DE91752196EA711A8ACAC1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 426990b1ab625c95a89c3939c69cba6fef092afd65db7441eb1e52a067a66633
                                              • Instruction ID: a9e80de3fa5f7968b7bf4ef16f284feff434a0891652660d9a137313f9aa5969
                                              • Opcode Fuzzy Hash: 426990b1ab625c95a89c3939c69cba6fef092afd65db7441eb1e52a067a66633
                                              • Instruction Fuzzy Hash: CFD01234D1420A8B8714DF64D44646EBBB4E744204F008159DA4593345EA305841CBC1
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cda61bfa425b0d6558287713d4c22b3c946304e83654757d941aeb7f5aac262
                                              • Instruction ID: 3641cba48202d849a65518e4e78692ae8827492452f60211d6b8a9ac8a98067a
                                              • Opcode Fuzzy Hash: 6cda61bfa425b0d6558287713d4c22b3c946304e83654757d941aeb7f5aac262
                                              • Instruction Fuzzy Hash: C8D09E3444F3C49FC7175B7C94684583F209D0321470505DED8868F1B7C9758445CB06
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84c6b07b47a0ecbb121e0863166ae80a844629e382bb5c4488a903f1d9faa69e
                                              • Instruction ID: 28f0a619d369dd8d84763192d68812201f20a3ede2deb001ac935eab402a046c
                                              • Opcode Fuzzy Hash: 84c6b07b47a0ecbb121e0863166ae80a844629e382bb5c4488a903f1d9faa69e
                                              • Instruction Fuzzy Hash: C8C0481908FBC4AEE70322354C202816F312A8245478F12DA8AC0DFAA3D64E480ECB52
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e0780c198b814fa45f2faa0a686eed164e4c5beac1e404dfddb672c33ad51f9
                                              • Instruction ID: 9efc3929f9c44cee58d9891a887b1eaadbf914bf6af0c17bd2f0a41b75bbc648
                                              • Opcode Fuzzy Hash: 6e0780c198b814fa45f2faa0a686eed164e4c5beac1e404dfddb672c33ad51f9
                                              • Instruction Fuzzy Hash: 2FB0923004570C9FC2486FB9A4189187B29EB4021578104A9E90E0B3A69E36E885CA44
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $c`k$4'q$4'q$4'q$4'q$84kl$84kl$pi5k$tPq$tPq$Jnl$Jnl$Jnl$Jnl$Jnl$rml$rml
                                              • API String ID: 0-1316400237
                                              • Opcode ID: e54c7af842b1a32da4d0fcae5b79599e05c2f61a1b4ddbdd6bf607691be01da5
                                              • Instruction ID: 2e762f7c4862ee36608f6ddb902201622a6d2682cbc619c02bab3da98e60ba20
                                              • Opcode Fuzzy Hash: e54c7af842b1a32da4d0fcae5b79599e05c2f61a1b4ddbdd6bf607691be01da5
                                              • Instruction Fuzzy Hash: 3AD137F5F0430E8FEB258B6D94046AABBE2EFC5211F1884EBD5158B251DB31D882D7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q$cl$cl
                                              • API String ID: 0-3549127322
                                              • Opcode ID: fd449e5dab69c404269321931896099e6e381cc85017c3ce34aefe158cf1d4ae
                                              • Instruction ID: 7b4836a64faf98628ff899e62c78b0aad51abba0e3de4d89623c19ac94f5fa6e
                                              • Opcode Fuzzy Hash: fd449e5dab69c404269321931896099e6e381cc85017c3ce34aefe158cf1d4ae
                                              • Instruction Fuzzy Hash: 01A14BF17043558FE7259B69981177ABBE2EFC5210F1C80AEE946EB391CA31DC41C7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fq$84kl$`Qq$`Qq$tPq$$q$$q$$q$$q$$q
                                              • API String ID: 0-3965770199
                                              • Opcode ID: 57c5d6b53af9818bab6a0aa8a069475144f3c7e0a6865a3a7ca02b6fabc2ddde
                                              • Instruction ID: 12be56831e0ed84b217015fb6bd78094f48726f4e4b36d06d1c0f119775a877a
                                              • Opcode Fuzzy Hash: 57c5d6b53af9818bab6a0aa8a069475144f3c7e0a6865a3a7ca02b6fabc2ddde
                                              • Instruction Fuzzy Hash: 626148F0E1420EEFFB248E4CD544BAA77B2EB45241F1980E6E8019B291C771DDC0EBA5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$$q$$q$$q$cl$cl
                                              • API String ID: 0-3173862579
                                              • Opcode ID: d01b3b39786c33f48e894ac76c13291681d9114cc1e6075485d8f8437c4f2ce1
                                              • Instruction ID: 0c1f483c4899b5534cd901fddaf7b627e5a097c305158765175ebc92391075e3
                                              • Opcode Fuzzy Hash: d01b3b39786c33f48e894ac76c13291681d9114cc1e6075485d8f8437c4f2ce1
                                              • Instruction Fuzzy Hash: 435167F17043469FEB245B698405766BBF2EFC6211F2C80ABD485EB291DA31D842D7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $c`k$$q$$q$Jnl$Jnl$Jnl
                                              • API String ID: 0-1118177067
                                              • Opcode ID: 8347e80394c478b6808a3628c37824a2b842351bd6fdd89341b5a8e8659392c0
                                              • Instruction ID: 3441cf1daeee71805dbe63ffef18025b9d0f528f168f3977a61c62778138e97e
                                              • Opcode Fuzzy Hash: 8347e80394c478b6808a3628c37824a2b842351bd6fdd89341b5a8e8659392c0
                                              • Instruction Fuzzy Hash: 69118CF2A153139FF234055DAC006E3A7E2FFC4620F05819BFA405B208C67088C0E3DA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tMml$`q$`q$`q$`q
                                              • API String ID: 0-2236247844
                                              • Opcode ID: 65526fc2078456768782e61e0f730f4044f8a3142c8872d976384274fbecce3c
                                              • Instruction ID: 60fa684b79a0b9adb37294732aef7ccf36693eef4f7ddd371cfd912d26ca2771
                                              • Opcode Fuzzy Hash: 65526fc2078456768782e61e0f730f4044f8a3142c8872d976384274fbecce3c
                                              • Instruction Fuzzy Hash: 61B1A474E013199FDB54DFA9D980A9DFBF2BF48300F14862AD819AB354EB30A905CF91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: tMml$`q$`q$`q$`q
                                              • API String ID: 0-2236247844
                                              • Opcode ID: 6cf35e0bbd9896deccb0b99b3a1ffa97beb5a286b21b0dac427cd374f1012240
                                              • Instruction ID: 452ef93f13582ba33452b66a09ef1034225b70796f076f7ed617e201108c1f46
                                              • Opcode Fuzzy Hash: 6cf35e0bbd9896deccb0b99b3a1ffa97beb5a286b21b0dac427cd374f1012240
                                              • Instruction Fuzzy Hash: DEB18474E007199FDB54DFA9D990A9DFBF2FF48200F148629D819AB354DB30A9058F91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: pi5k$pi5k$pi5k$Jnl$Jnl
                                              • API String ID: 0-2356366091
                                              • Opcode ID: fffef4658d55e6fcd136ce9440de1d5b13e9dbeac4481de67f57bab212103097
                                              • Instruction ID: 4803c9c0a7054f03b77a1abe8556a24225833784307c549ec029fff3994957df
                                              • Opcode Fuzzy Hash: fffef4658d55e6fcd136ce9440de1d5b13e9dbeac4481de67f57bab212103097
                                              • Instruction Fuzzy Hash: 8D21D8B17003089FFB249F6984407EE7BF2BF89220F1084A9E9159F241CB71DC41D7A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Tc`k$lc`k$Jnl$Jnl$Jnl
                                              • API String ID: 0-2889873169
                                              • Opcode ID: 1d41c03aeba70cf67a8e9ba88959410eb50239b5abc1291f5d8d67af4019134d
                                              • Instruction ID: 6d3533acccd6ed608723daa4eba37f41bfb1297eb9d742bcf085416d02a9c9be
                                              • Opcode Fuzzy Hash: 1d41c03aeba70cf67a8e9ba88959410eb50239b5abc1291f5d8d67af4019134d
                                              • Instruction Fuzzy Hash: 731178F061D3528FE3194F6898116A27FB1BBC2310B0484EBE5409F689C6709C81D39E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1562981127.00000000033E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_33e0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: `q$`q$`q$`q
                                              • API String ID: 0-10485352
                                              • Opcode ID: 732f6768589bfe8d13b5c5ab07a02237d672dba7bcc9b13e0f72c4d2d407eaff
                                              • Instruction ID: 11f090b37317cfe52a6af5ac5e847afd79e1837debbc81cfe1bb45c97d244f1a
                                              • Opcode Fuzzy Hash: 732f6768589bfe8d13b5c5ab07a02237d672dba7bcc9b13e0f72c4d2d407eaff
                                              • Instruction Fuzzy Hash: 8A915278E012199FDB54CFA9D990A9DFBF6FF48200F24862AD419AB354D730A9058F90
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $q$$q$$q$$q
                                              • API String ID: 0-4102054182
                                              • Opcode ID: 7640768f707d01fc52531119df56b41cb57399eb1956b4a9951c7f5d1b5eadeb
                                              • Instruction ID: 34e8aa006329ba16cc36ae025e92957514ff7ea8c4eee94c0e5f4806956eb12b
                                              • Opcode Fuzzy Hash: 7640768f707d01fc52531119df56b41cb57399eb1956b4a9951c7f5d1b5eadeb
                                              • Instruction Fuzzy Hash: A52147F13147069BFB345A3A9801B27BBDBEFC0711F24807AEA058B281DD75D81193A2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: lc`k$Jnl$Jnl$Jnl
                                              • API String ID: 0-1222511817
                                              • Opcode ID: 0cfbb50b1e10c738591e809ec66be0a47de6094c091bbe654eb7ae1598aaceaf
                                              • Instruction ID: 1cd4da2b81b972014f7fcddcd124f8b0bce475060a7fdba13a59f9d89a29d157
                                              • Opcode Fuzzy Hash: 0cfbb50b1e10c738591e809ec66be0a47de6094c091bbe654eb7ae1598aaceaf
                                              • Instruction Fuzzy Hash: 3B1138F4A0D3A14FE31A4B7548116B23F617FC721070980DFE0909F69AC8649885E3AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.1583476065.0000000007B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_7b40000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'q$4'q$$q$$q
                                              • API String ID: 0-3199993180
                                              • Opcode ID: ecba8589ea750326f7b08eb3f24114cb2806940218e1d263f57f0dd1500d410e
                                              • Instruction ID: 6bb499c31e52467c2af6896679aaa6ee5cec59da67e87d6964a8251aed50bc83
                                              • Opcode Fuzzy Hash: ecba8589ea750326f7b08eb3f24114cb2806940218e1d263f57f0dd1500d410e
                                              • Instruction Fuzzy Hash: F3014CB66083578FE73A273C28202657FB29FC6540B2E51D7D941DF296CE209C12C7AA